CISA Issues Warning on Exploited Critical Vulnerability in Zoho ManageEngine ServiceDesk

On December 3, 2021, the FBI and CISA alerted the public about active exploitation of a newly patched vulnerability in Zoho’s ManageEngine ServiceDesk Plus. Identified as CVE-2021-44077 (CVSS score: 9.8), this flaw enables unauthenticated remote code execution in versions up to 11305. If unaddressed, it allows attackers to upload executable files and establish web shells for further malicious activities, such as compromising admin credentials, lateral movement, and exfiltrating sensitive information like registry hives and Active Directory files. Zoho also highlighted that a security misconfiguration in ServiceDesk Plus was the root cause of this issue.

CISA Issues Alert on Actively Exploited Critical Vulnerability in Zoho ManageEngine ServiceDesk

On December 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a significant warning regarding an actively exploited vulnerability within Zoho’s ManageEngine ServiceDesk Plus. This flaw, identified as CVE-2021-44077, boasts a CVSS score of 9.8, categorizing it as critically severe. It affects various versions of ServiceDesk Plus, specifically those up to and including version 11305. If not addressed, this vulnerability could allow adversaries to upload executable files and establish web shells, leading to a host of malicious activities.

The fundamental issue arises from an unauthenticated remote code execution vulnerability, which has already been leveraged by threat actors to facilitate various forms of cyber exploitation. According to CISA, the implications are severe: once an attacker gains access, they can compromise administrator credentials, conduct lateral movement within the affected network, and exfiltrate sensitive files including registry hives and Active Directory data.

In an advisory published on November 22, Zoho attributed the vulnerability to a security misconfiguration within ServiceDesk Plus. This misconfiguration has opened the door for potential adversaries to execute arbitrary code at will, further heightening the risk for organizations using this software.

The targets of this attack predominantly include businesses leveraging ManageEngine ServiceDesk Plus for IT service management, with a significant focus within the United States. Such vulnerabilities underline the importance for business owners to remain vigilant regarding the cybersecurity posture of the software solutions they implement.

The tactics likely employed by adversaries in this incident may include initial access through the exploitation of the vulnerability, followed by efforts to maintain persistence within the environment. Techniques such as privilege escalation could have been utilized to elevate access rights after initial entry, enhancing the attacker’s capability to navigate and exploit the compromised network.

Given the specificity and criticality of this vulnerability, organizations using affected versions of ServiceDesk Plus are urged to apply the latest patches immediately. By doing so, businesses can mitigate the risks posed by potential exploitation, safeguarding their systems against ongoing cyber threats.

In today’s rapidly evolving threat landscape, staying informed and proactive is essential for business owners. This incident serves as a crucial reminder of the importance of maintaining robust cybersecurity measures and ensuring that all software systems are regularly updated and securely configured, thereby enhancing overall resilience against cyber adversities.

Source link

Related Posts

Alert: New Zoho ManageEngine Vulnerability Actively Under Attack

December 4, 2021

Zoho has issued a warning regarding a newly patched critical vulnerability in its Desktop Central and Desktop Central MSP products, which is currently being exploited by cybercriminals. This marks the third security flaw in Zoho’s offerings found to be targeted in just four months. The vulnerability, identified as CVE-2021-44515, is an authentication bypass that enables attackers to bypass security measures and execute arbitrary code on the Desktop Central MSP server.

“If exploited, attackers can gain unauthorized access by sending a specially crafted request, resulting in remote code execution,” Zoho cautioned in its advisory. “Given the signs of active exploitation, we strongly recommend that customers update to the latest build immediately.” The company has also provided an Exploit Detection Tool to assist customers in identifying any potential vulnerabilities.

Pegasus Spyware Allegedly Targeted iPhones of U.S. State Department Employees and Diplomats

December 4, 2021

Reports from Reuters and The Washington Post indicate that Apple has informed several U.S. Embassy and State Department staff that their iPhones might have been compromised by an unidentified attacker using state-sponsored spyware developed by the controversial Israeli firm NSO Group. At least 11 officials, either stationed in Uganda or involved in matters related to the country, reportedly had their iPhones, linked to their overseas numbers, singled out. The identities of the perpetrators and the specific information sought remain unclear. These incidents represent the first known use of this advanced surveillance tool against U.S. government personnel. NSO Group produces Pegasus, military-grade spyware that enables clients to discreetly access files, photos, and conversations.

Urgent Log4J Vulnerability Poses Significant Threat to Internet Security

Dec 11, 2021

The Apache Software Foundation has addressed a critical zero-day vulnerability in the widely-used Apache Log4j Java logging library, actively exploited to execute malicious code and potentially gain full control over affected systems. Identified as CVE-2021-44228 and known as Log4Shell or LogJam, this flaw allows unauthenticated remote code execution (RCE) in applications utilizing this open-source tool, impacting versions from Log4j 2.0-beta9 to 2.14.1. The bug received a maximum severity score of 10 on the CVSS rating scale. The Apache Foundation’s advisory states, “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” Starting with Log4j version 2.15.0, this functionality has been disabled by default. Exploitation can be performed with minimal effort…