In September, Zoho published a fix for a remote code execution flaw in the Zoho ManageEngine ADSelfService Plus application and advised clients to update as soon as possible. Those who have not yet updated are likely to see exploitation attempts according to a security advisory published November 22, 2021. Research firms have noted no public proof of concept exists, thus leading analysts to believe threat groups are leveraging an exclusively developed exploit.
The flaw requires sending two requests to the REST API, one to upload an executable and another to launch the payload. This process is done remotely and requires no authentication to the vulnerable ServiceDesk server. According to researchers, the actor used the same webshell secret key seen in the ADSelfService Plus campaign, but this time it installs as an Apache Tomcat Java Servlet Filter. Analysis from Unit42 states “The fact that this Godzilla webshell is installed as a filter means that there is no specific URL that the actor will send their requests to when interacting with the webshell and the Godzilla webshell filter can also bypass a security filter that is present in ServiceDesk Plus to stop access to webshell files.”
