Security News > 2021 > December > Hackers use in-house Zoho ServiceDesk exploit to drop webshells

An advanced persistent threat group that had been exploiting a flaw in the Zoho ManageEngine ADSelfService Plus software has pivoted to leveraging a different vulnerability in another Zoho product.
The actor has been seen exploiting an unauthenticated remote code execution issue in Zoho ServiceDesk Plus versions 11305 and older, currently tracked as CVE-2021-44077.
According to a report from Palo Alto Networks' Unit42, there is no public proof-of-concept exploit for CVE-2021-44077, which suggests that the APT group leveraging it developed the exploit code itself and are using it exclusively for now.
The actors exploit the flaw by sending two requests to the REST API, one to upload an executable and one to launch the payload. This process is done remotely and requires no authentication to the vulnerable ServiceDesk server.
Jar," a variant of the 'Godzilla' webshell that is loaded into ServiceDesk after killing 'java.
Organizations are strongly recommended to patch their Zoho software as soon as possible and review all files created in ServiceDesk Plus directories since early October 2021.
News URL
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells (source)
- Hackers Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Stores (source)
- SonicWall firewall exploit lets hackers hijack VPN sessions, patch now (source)
- North Korean Hackers Exploit PowerShell Trick to Hijack Devices in New Cyberattack (source)
- Hackers exploit authentication bypass in Palo Alto Networks PAN-OS (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-11-29 | CVE-2021-44077 | Missing Authentication for Critical Function vulnerability in Zohocorp products Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. | 9.8 |