Experts Uncover Malicious Code Exploiting Vulnerability in ManageEngine ADSelfService

On November 8, 2021, it was revealed that at least nine organizations in the technology, defense, healthcare, energy, and education sectors were compromised due to a recently patched critical vulnerability in Zoho’s ManageEngine ADSelfService Plus self-service password management and single sign-on (SSO) solution. This surveillance campaign, which began on September 22, 2021, saw attackers exploiting the flaw to gain initial access, subsequently moving laterally within the networks to conduct post-exploitation activities. They deployed malicious tools designed to harvest credentials and exfiltrate sensitive data through a backdoor. “The attackers relied heavily on the Godzilla web shell, uploading various versions of this open-source tool to the compromised servers throughout the operation,” reported researchers from Palo Alto Networks’ Unit 42 threat intelligence team. “Several other tools exhibited unique characteristics or functionalities…”

Experts Uncover Malicious Code Exploiting Vulnerability in ManageEngine ADSelfService

On November 8, 2021, it was disclosed that a cyber espionage campaign had exploited a recently patched critical vulnerability in Zoho’s ManageEngine ADSelfService Plus platform, which is widely used for self-service password management and single sign-on (SSO) solutions. The breach has impacted at least nine organizations across diverse sectors, including technology, defense, healthcare, energy, and education.

The malicious activity began on September 22, 2021, when threat actors leveraged the vulnerability to gain initial access to their targets. Once inside, they executed lateral movements within the networks, enabling them to carry out a series of post-exploitation tasks. These actions involved deploying various malicious tools specifically designed to extract credentials and exfiltrate sensitive data via established backdoors.

Researchers from Palo Alto Networks’ Unit 42 threat intelligence team detailed in their report that the attackers relied heavily on a web shell named Godzilla. They consistently uploaded multiple variants of this open-source web shell onto the compromised servers throughout the duration of the campaign. The use of such tools, characterized by their sophistication, indicates a calculated effort to maintain persistence within the affected environments.

In analyzing the tactics employed, several aspects of the MITRE ATT&CK framework emerge as relevant. The initial access was facilitated through the exploitation of a software vulnerability, indicative of techniques such as “Exploit Public-Facing Application.” Given the actors’ ability to manipulate the network post-exploitation, tactics related to “Lateral Movement” and “Credential Dumping” were likely utilized to escalate privileges and maintain a foothold within the targeted organizations.

The reported incidents span multiple industries, underscoring a concerning trend in cyber threats spanning various critical infrastructure sectors. This activity not only calls attention to the vulnerability of widely used software solutions but also highlights the ongoing risks that organizations face from sophisticated threat actors. Business owners are urged to closely monitor their systems for potential exploits and to ensure that all software is updated promptly to mitigate the risk of similar intrusions.

As the cybersecurity landscape continues to evolve, the emphasis on proactive measures cannot be overstated. Organizations must remain vigilant, applying best practices in threat detection and response, to safeguard against the ever-present threat of malicious code and cyber espionage.

Source link

Related Posts

Unresolved Unauthorized File Read Vulnerability Impacts Microsoft Windows OS

On November 30, 2021, it was reported that unofficial patches have been released to address a poorly patched Windows security flaw which poses risks for information disclosure and local privilege escalation (LPE) on affected systems. Identified as CVE-2021-24084 (CVSS score: 5.5), this vulnerability is linked to the Windows Mobile Device Management component, potentially allowing attackers to gain unauthorized access to the file system and read arbitrary files. Security researcher Abdelhamid Naceri discovered and reported the issue in October 2020, leading Microsoft to include it in their February 2021 Patch Tuesday updates. However, as noted by Naceri in June 2021, the patch can be bypassed, and it has also been found that the inadequately addressed vulnerability enables attackers to gain administrator privileges and execute malicious code on Windows 10 systems.

Serious Security Vulnerability Discovered in Multiple HP Printer Models

On November 30, 2021, cybersecurity experts revealed significant security weaknesses affecting 150 different multifunction printers from HP Inc. These flaws, which have been present for eight years, can be exploited by attackers to gain control of vulnerable devices, steal sensitive information, and infiltrate enterprise networks to execute further attacks.

The two vulnerabilities, termed Printing Shellz, were uncovered by F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev and reported to HP on April 29, 2021. As a result, HP released patches earlier this month addressing the issues:

  • CVE-2021-39237 (CVSS Score: 7.1): An information disclosure vulnerability affecting specific HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.

  • CVE-2021-39238 (CVSS Score: 9.3): A buffer overflow vulnerability impacting certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, and HP PageWide Managed products.

Further details on the vulnerabilities are currently under review.

CISA Issues Warning on Exploited Critical Vulnerability in Zoho ManageEngine ServiceDesk

On December 3, 2021, the FBI and CISA alerted the public about active exploitation of a newly patched vulnerability in Zoho’s ManageEngine ServiceDesk Plus. Identified as CVE-2021-44077 (CVSS score: 9.8), this flaw enables unauthenticated remote code execution in versions up to 11305. If unaddressed, it allows attackers to upload executable files and establish web shells for further malicious activities, such as compromising admin credentials, lateral movement, and exfiltrating sensitive information like registry hives and Active Directory files. Zoho also highlighted that a security misconfiguration in ServiceDesk Plus was the root cause of this issue.

Alert: New Zoho ManageEngine Vulnerability Actively Under Attack

December 4, 2021

Zoho has issued a warning regarding a newly patched critical vulnerability in its Desktop Central and Desktop Central MSP products, which is currently being exploited by cybercriminals. This marks the third security flaw in Zoho’s offerings found to be targeted in just four months. The vulnerability, identified as CVE-2021-44515, is an authentication bypass that enables attackers to bypass security measures and execute arbitrary code on the Desktop Central MSP server.

“If exploited, attackers can gain unauthorized access by sending a specially crafted request, resulting in remote code execution,” Zoho cautioned in its advisory. “Given the signs of active exploitation, we strongly recommend that customers update to the latest build immediately.” The company has also provided an Exploit Detection Tool to assist customers in identifying any potential vulnerabilities.