A team of sophisticated hackers exploiting an exploit in Zoho ManageEngine ADSelfService Plus software has turned to exploiting a different vulnerability in another Zoho product.
The team is exploiting a remote code execution exploit without authentication in the versions Zoho ServiceDesk Plus 11305 and older, currently referred to as CVE-2021-44077.
Zoho dealt with the RCE defect on September 16, 2021 and on November 22, 2021, the company published a security alert to warn customers about active exploitation. However, users were slow to update their systems and remained vulnerable to attacks.
According to a report by Unit 42 of Palo Alto Networks, there is no public evidence of exploitation of CVE-2021-44077, suggesting that the team APT which utilizes it has developed the exploitation code itself and uses it exclusively for the time being.
Hackers exploit exploit by sending two requests to the REST API, one to download an executable file (msiexec.exe) and one to boot the payload.
This process is performed remotely and does not require authentication on the vulnerable ServiceDesk server.
When ServiceDesk executes the payload, a mutex is created and a hardcoded Java module is written to “../lib/tomcat/tomcat-postgres.jar, A variant of the "Godzilla" web shell that loads into ServiceDesk after killing "java". .exe 'and restarts the process.
According to the researchers, the team used the same webshell secret key that appeared in the ADSelfService Plus campaign, but this time it is installed as a filter Java Servlet Apache Tomcat.
Palo Alto Networks has uncovered evidence that may link these attacks to Chinese APT27 (Emissary Panda) team, which has previously developed Godzilla against high-profile targets, but the evidence is insufficient for clear performance.
Organizations are advised to repair the Zoho software as soon as possible and to check all the files that have been created in the ServiceDesk Plus directories since the beginning of October 2021.