Security News > 2021 > December > Hackers use in-house Zoho ServiceDesk exploit to drop webshells
An advanced persistent threat group that had been exploiting a flaw in the Zoho ManageEngine ADSelfService Plus software has pivoted to leveraging a different vulnerability in another Zoho product.
The actor has been seen exploiting an unauthenticated remote code execution issue in Zoho ServiceDesk Plus versions 11305 and older, currently tracked as CVE-2021-44077.
According to a report from Palo Alto Networks' Unit42, there is no public proof-of-concept exploit for CVE-2021-44077, which suggests that the APT group leveraging it developed the exploit code itself and are using it exclusively for now.
The actors exploit the flaw by sending two requests to the REST API, one to upload an executable and one to launch the payload. This process is done remotely and requires no authentication to the vulnerable ServiceDesk server.
Jar," a variant of the 'Godzilla' webshell that is loaded into ServiceDesk after killing 'java.
Organizations are strongly recommended to patch their Zoho software as soon as possible and review all files created in ServiceDesk Plus directories since early October 2021.
News URL
Related news
- Hackers Exploit ConnectWise ScreenConnect Flaws to Deploy TODDLERSHARK Malware (source)
- Hackers Exploit Misconfigured YARN, Docker, Confluence, Redis Servers for Crypto Mining (source)
- Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware (source)
- Magnet Goblin Hacker Group Leveraging 1-Day Exploits to Deploy Nerbian RAT (source)
- Hackers exploit Windows SmartScreen flaw to drop DarkGate malware (source)
- Hackers exploit Aiohttp bug to find vulnerable networks (source)
- Hackers exploit Ray framework flaw to breach servers, hijack resources (source)
- Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites (source)
- Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign (source)
- Hackers Exploit OpenMetadata Flaws to Mine Crypto on Kubernetes (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-11-29 | CVE-2021-44077 | Missing Authentication for Critical Function vulnerability in Zohocorp products Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. | 9.8 |