Security News > 2021 > December > Hackers use in-house Zoho ServiceDesk exploit to drop webshells

Hackers use in-house Zoho ServiceDesk exploit to drop webshells
2021-12-02 17:37

An advanced persistent threat group that had been exploiting a flaw in the Zoho ManageEngine ADSelfService Plus software has pivoted to leveraging a different vulnerability in another Zoho product.

The actor has been seen exploiting an unauthenticated remote code execution issue in Zoho ServiceDesk Plus versions 11305 and older, currently tracked as CVE-2021-44077.

According to a report from Palo Alto Networks' Unit42, there is no public proof-of-concept exploit for CVE-2021-44077, which suggests that the APT group leveraging it developed the exploit code itself and are using it exclusively for now.

The actors exploit the flaw by sending two requests to the REST API, one to upload an executable and one to launch the payload. This process is done remotely and requires no authentication to the vulnerable ServiceDesk server.

Jar," a variant of the 'Godzilla' webshell that is loaded into ServiceDesk after killing 'java.

Organizations are strongly recommended to patch their Zoho software as soon as possible and review all files created in ServiceDesk Plus directories since early October 2021.


News URL

https://www.bleepingcomputer.com/news/security/hackers-use-in-house-zoho-servicedesk-exploit-to-drop-webshells/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-11-29 CVE-2021-44077 Missing Authentication for Critical Function vulnerability in Zohocorp products
Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution.
network
low complexity
zohocorp CWE-306
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Zoho 5 0 3 5 0 8