{"id":7477,"date":"2021-12-24T19:07:45","date_gmt":"2021-12-25T02:07:45","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7477"},"modified":"2023-04-05T12:36:30","modified_gmt":"2023-04-05T19:36:30","slug":"zoho-cisa-and-fbi-issues-alert-for-new-zero-day-vulnerability-cve-2021-44077-patch-now","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/zoho-cisa-and-fbi-issues-alert-for-new-zero-day-vulnerability-cve-2021-44077-patch-now\/","title":{"rendered":"Zoho: CISA and FBI Issues Alert for New Zero-Day Vulnerability (CVE-2021-44077), Patch Now!"},"content":{"rendered":"
\n

An APT group is using CVE-2021-44077<\/a> and CVE-2021-44515<\/a> in Zoho ManageEngine ServiceDesk Plus and Desktop Central Servers to compromise businesses in a range of industries, including military and technology.<\/p>\n

– Cyber Infrastructure Security Agency and FBI<\/p>\n<\/blockquote>\n

{Updated on January 25, 2022}: <\/strong>Zoho fixed a new critical severity vulnerability (CVE-2021-44757<\/a>) that affects the company’s unified endpoint management (UEM) solutions Desktop Central and Desktop Central MSP. Approximately 2,800 ManageEngine Desktop Central instances are exposed to the Internet. With a series of CISA alerts<\/a> stating that APT groups are targeting ManageEngine, we recommend users to patch this vulnerability immediately.<\/p>\n

On November 22, 2021, Zoho released an advisory<\/a> alerting customers about the active exploitation of newly registered CVE-2021-44077 in ManageEngine ServiceDesk Plus. Zoho\u2019s ManageEngine ServiceDesk Plus is an IT help desk and asset management software that provides a complete auditing trail of the service tickets associated with each asset.<\/p>\n

\"\"<\/p>\n

APT Threat Groups Actively Seeking for Vulnerable ServiceDesk Systems<\/h2>\n

 <\/p>\n

Over the three months since the disclosure of CVE-2021-40539<\/a>, the threat actors have shifted their focus to a different Zoho product by leveraging the new vulnerability (CVE-2021-44077). Threat actors have been observed exploiting the CVE-2021-44077 unauthenticated, remote code execution issue affecting Zoho ServiceDesk Plus versions 11305 and older.<\/p>\n

 <\/p>\n

On September 16, 2021, the Federal Bureau of Investigation (FBI), the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) first alerted the public about activity targeting CVE-2021-40539, stating that it was most likely APT activity and emphasizing the high risk these attacks posed to critical infrastructure. Following the joint alerts, Palo Alto Networks has published that they found traces of attacks linked to the Chinese APT27 (Emissary Panda) group, which has previously used Godzilla webshell.<\/p>\n

 <\/p>\n

On December 17, FBI and CISA red-flagged<\/a> another CVE identified as CVE-2021-44515 in Desktop Central servers that have been under active exploitation by Advanced Persistent Threats.<\/p>\n

 <\/p>\n

To add on, following the exploitation, attackers are downloading a dropper to target systems. This dropper delivers a Godzilla webshell, which allows the actor with additional access to and persistence on compromised devices, similar to prior techniques used against the ADSelfService software.<\/p>\n

 <\/p>\n

The Looming Threats<\/h2>\n

 <\/p>\n

CVE-2021-44077<\/strong><\/p>\n

 <\/p>\n