Register now for better personalized quote!

FBI warning: Hackers are targeting this flaw in Zoho ManageEngine ServiceDesk Plus

Dec, 03, 2021 Hi-network.com

The FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) are warning about the 'active exploitation' of a bug in Zoho ManageEngine ServiceDesk Plus before 11306.

"Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration," CISA and the FBI note about the vulnerability tracked as CVE-2021-44077.

Security

  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

CISA and FBI's alert warns that organizations that didn't apply Zoho patches for Zoho ServiceDesk Plus versions 11306 and above are vulnerable to attackers who install web shells, which are dangerous because they persist on a system even after applying security updates. 

SEE:Hackers are turning to this simple technique to install their malware on PCs

The vulnerability also has implications for organizations using Microsoft's Windows identity platform, Active Directory.   

"The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability," CISA says. 

"If left unpatched, successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells that enable post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files." 

Meanwhile, Zoho says in its advisory: "This vulnerability allows an attacker to gain unauthorized access to the application's data through a few of its application URLs. To do so, an attacker has to manipulate any vulnerable application URL path from the assets module with a proper character set replacement.

"This URL can bypass the authentication process and fetch the required data for the attacker, allowing the attacker to gain unauthorized access to user data or carry out subsequent attacks."

Microsoft raised an alarm this month about suspected Chinese hackers targeting Windows machines running Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution. It was tracked as CVE-2021-40539.

According to security company Palo Alto's Unit 42, the two vulnerabilities are most likely being used by a Chinese cyber-espionage group. It said that at least 13 organizations across the technology, energy, healthcare, education, finance and defense industries have been compromised over the past three months.

"Of the four new victims, two were compromised through vulnerable ADSelfService Plus servers while two were compromised through ServiceDesk Plus software. We anticipate that this number will climb as the actor continues to conduct reconnaissance activities against these industries and others, including infrastructure associated with five U.S. states," the researchers said.

Enterprise Software

ChatGPT's next big challenge: Helping Microsoft to challenge Google searchWhen will Microsoft end support for your version of Windows or Office?Tech in 2023: 6 new priorities for your shortlistThe 14 best web hosting services: Which is right for your website?
  • ChatGPT's next big challenge: Helping Microsoft to challenge Google search
  • When will Microsoft end support for your version of Windows or Office?
  • Tech in 2023: 6 new priorities for your shortlist
  • The 14 best web hosting services: Which is right for your website?

tag-icon Hot Tags : Business Enterprise Software

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.