A vulnerability in Zoho’s ManageEngine Desktop Central software is actively being exploited by APT threat actors, according to a new advisory from the FBI. The vulnerability, tracked as CVE-2021-44515, allows for a malicious user to bypass authentication within ManageEngine Desktop Central and execute arbitrary code on the server.
The FBI and security researchers have detected threat actors exploiting this vulnerability in order to establish a foothold within a network or escalate their privileges. Once they have established a foothold, these threat actors have been seen downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement, and dumping credentials. Initial reconnaissance is performed via a webshell that the threat actors inject into the Desktop Central software, which overrides the legitimate Desktop Central API servlet endpoint. Once the reconnaissance is completed, the threat actors have been seen dropping malware with RAT-like functionality that then establishes persistence via a service and injects itself into a svchost process for execution and defense evasion. Further activity by the threat actors is then performed through the remote access trojan (RAT).
As of earlier this month, Zoho has released patches for its Desktop Central platform to remediate this vulnerability.