One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 3791017 |
| Date de publication | 2021-12-06 22:36:49 (vue: 2021-12-13 21:05:26) |
| Titre | Joint CyberSecurity Advisory on Attacks Exploiting Zoho ManageEngine ServiceDesk Plus Vulnerability (CVE-2021-44077) |
| Texte | FortiGuard Labs is aware of a recent joint advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) on APT actors actively exploiting a critical vulnerability in Zoho ManageEngine ServiceDesk Plus. Successfully exploiting the vulnerability (CVE-2021-44077) enables an attacker to compromise administrator credentials, propagate through the compromised network, and conduct cyber espionage.Why is this Significant?This is significant because the advisory was released due to active exploitation of the vulnerability being observed. Zoho, the vendor of ManageEngine ServiceDesk Plus, states in their advisory that "we are noticing exploits of this vulnerability, and we strongly urge all customers using ServiceDesk Plus (all editions) with versions 11305 and below to update to the latest version immediately".What Product and Versions are Vulnerable?The vulnerable product is all editions of ServiceDesk Plus. Vulnerable versions are all versions up to, and including, version 11305.What are the Technical Details of the Vulnerability?Not much information is currently available on the vulnerability other than the vulnerability is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.What is CVE Number and Severity Assigned to the Vulnerability?The vulnerability is assigned CVE-2021-44077 and is rated critical with CVSS score of 9.8.Which Industries are Targeted?According to the advisory, Critical Infrastructure Sector industries, including the healthcare, financial services, electronics and IT consulting industries are targeted by threat actors.What Malicious Activities Conducted by the Threat Actors were Observed?CISA provided the following Tactics, techniques and procedures (TTPs) for the observed activities:Writing webshells to disk for initial persistenceObfuscating and Deobfuscating/Decoding Files or InformationConducting further operations to dump user credentialsLiving off the land by only using signed Windows binaries for follow-on actionsAdding/deleting user accounts as neededStealing copies of the Active Directory database (NTDS.dit) or registry hivesUsing Windows Management Instrumentation (WMI) for remote executionDeleting files to remove indicators from the hostDiscovering domain accounts with the net Windows commandUsing Windows utilities to collect and archive files for exfiltrationUsing custom symmetric encryption for command and control (C2)Has the Vendor Patched the Vulnerability?Yes, Zoho released a patch on September 16, 2021.Has the Vendor Released an Advisory?Yes, the vendor released an advisory on September 16, 2021. Additional advisory was released on November 22, 2021. Links are in the Appendix.What is the Status of Coverage?FortiGuard Labs provides the following AV coverage against available files that were used in the attack: Java/Webshell.AD!trW64/Agent.BG!tr.pwsW32/Agent.CY!trTrojan.Win32.Agentb.kpbcHEUR:Trojan-Dropper.Win32.Agentb.genHEUR:Backdoor.Multi.MalGO.aBackdoor.Java.JSP.auTrojan.Win64.Agentb.azoTrojan.Win32.Agentb.kpbdTrojan.Win64.Agentb.azpAs for CVE-2021-44077, there is no sufficient information available for FortiGuard Labs to develop IPS protection. FortiGuard Labs will investigate protection once such information becomes available and will update this Threat Signal with protection. |
| Notes | ★★★★★ |
| Envoyé | Oui |
| Condensat | /restapi 11305 2021 44077 abackdoor according accounts actionsadding/deleting active actively activities activities:writing actors additional administrator advisory against agency agentb all appendix apt archive are assigned attack: attacker attacks autrojan available aware azotrojan azpas because becomes being below binaries bureau cisa collect command commandusing compromise compromised conduct conducted configuration consulting control copies coverage credentials credentialsliving critical currently custom customers cve cvss cyber cybersecurity database deobfuscating/decoding details develop directory disk dit domain dropper due dump editions electronics enables encryption espionage executiondeleting exfiltrationusing exploitation exploiting exploits fbi federal files financial follow following fortiguard from further genheur:backdoor has healthcare hivesusing hostdiscovering immediately importtechnicians including indicators industries information informationconducting infrastructure initial instrumentation investigate investigation ips java java/webshell joint jsp kpbcheur:trojan kpbdtrojan labs land latest links malgo malicious manageengine management much multi neededstealing net network not noticing november ntds number observed off once only operations other patch patched persistenceobfuscating plus procedures product propagate protection provided provides pwsw32/agent rated recent registry related released remote remove score sector security september servicedesk services servlet severity signal signed significant states status strongly struts successfully such sufficient symmetric tactics targeted technical techniques than threat through trtrojan trw64/agent ttps update urge urls used user using utilities vendor version versions vulnerability vulnerable webshells what which why will win32 win64 windows wmi zoho |
| Tags | Vulnerability Threat |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.