APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus
This joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 9. See the ATT&CK for Enterprise framework for referenced threat actor techniques and for mitigations.
This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-44077) in Zoho ManageEngine ServiceDesk Plus—IT help desk software with asset management.
CVE-2021-44077, which Zoho rated critical, is an unauthenticated remote code execution (RCE) vulnerability affecting all ServiceDesk Plus versions up to, and including, version 11305. This vulnerability was addressed by the update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability. Successful exploitation of the vulnerability allows an attacker to upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.
The Zoho update that patched this vulnerability was released on September 16, 2021, along with a security advisory. Additionally, an email advisory was sent to all ServiceDesk Plus customers with additional information. Zoho released a subsequent security advisory on November 22, 2021, and advised customers to patch immediately.
The FBI and CISA are aware of reports of malicious cyber actors likely using exploits against CVE-2021-44077 to gain access [T1190] to ManageEngine ServiceDesk Plus, as early as late October 2021. The actors have been observed using various tactics, techniques and procedures (TTPs), including:
- Writing webshells [T1505.003] to disk for initial persistence
- Obfuscating and Deobfuscating/Decoding Files or Information [T1027 and T1140]
- Conducting further operations to dump user credentials [T1003]
- Living off the land by only using signed Windows binaries for follow-on actions [T1218]
- Adding/deleting user accounts as needed [T1136]
- Stealing copies of the Active Directory database (
NTDS.dit) [T1003.003] or registry hives
- Using Windows Management Instrumentation (WMI) for remote execution [T1047]
- Deleting files to remove indicators from the host [T1070.004]
- Discovering domain accounts with the net Windows command [T1087.002]
- Using Windows utilities to collect and archive files for exfiltration [T1560.001]
- Using custom symmetric encryption for command and control (C2) [T1573.001]
The FBI and CISA are proactively investigating this malicious cyber activity:
- The FBI leverages specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies.
- CISA offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce their exposure to threats. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
Sharing technical and/or qualitative information with the FBI and CISA helps empower and amplify our capabilities as federal partners to collect and share intelligence and engage with victims, while working to unmask and hold accountable those conducting malicious cyber activities.
Click here for a PDF version of this report.
Click here for indicators of compromise (IOCs) in STIX format.
Compromise of the affected systems involves exploitation of CVE-2021-44077 in ServiceDesk Plus, allowing the attacker to:
- Achieve an unrestricted file upload through a POST request to the ServiceDesk REST API URL and upload an executable file,
C:\ManageEngine\Servicedesk\bin\msiexec.exe, with a SHA256 hash of
ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7. This executable file serves as a dropper and contains an embedded, encoded Godzilla JAR file.
- Gain execution for the dropper through a second POST request to a different REST API URL, which will then decode the embedded Godzilla JAR file and drop it to the filepath
C:\ManageEngine\ServiceDesk\lib\tomcat\tomcat-postgres.jarwith a SHA256 hash of
Confirming a successful compromise of ManageEngine ServiceDesk Plus may be difficult—the attackers are known to run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between exploitation of the vulnerability and the webshell.
APT cyber actors have targeted Critical Infrastructure Sector industries, including the healthcare, financial services, electronics and IT consulting industries.
Indicators of Compromise
Malicious IIS Module:
POST requests sent to the following URLs:
Note: the domain seed.nkn[.]org is a New Kind of Network (NKN) domain that provides legitimate peer to peer networking services utilizing blockchain technology for decentralization. It is possible to have false positive hits in a corporate network environment and it should be considered suspicious to see any software-initiated contacts to this domain or any subdomain.
Log File Analysis
- Check serverOut*.txt log files under C:\ManageEngine\ServiceDesk\logs\ for suspicious log entries matching the following format:
[<time>]|[<date>]|[com.adventnet.servicedesk.setup.action.ImportTechniciansAction]|[INFO]|: fileName is : msiexec.exe]
Tactics, Techniques, and Procedures
- Using WMI for lateral movement and remote code execution (in particular,
- Using plaintext credentials for lateral movement
pg_dump.exeto dump ManageEngine databases
- Active credential harvesting through
- Exfiltrating through webshells
- Conducting exploitation activity often through other compromised U.S. infrastructure
- Dropping multiple webshells and/or implants to maintain persistence
- Using renamed versions of
csvde, and other legitimate third-party tools for reconnaissance and exfiltration
$s1 = "decrypt(fpath)"
$s2 = "decrypt(fcontext)"
$s3 = "decrypt(commandEnc)"
$s4 = "upload failed!"
$s5 = "sevck"
$s6 = "newid"
filesize < 15KB and 4 of them
$s1 = "AEScrypt"
$s2 = "AES/CBC/PKCS5Padding"
$s3 = "SecretKeySpec"
$s4 = "FileOutputStream"
$s5 = "getParameter"
$s6 = "new ProcessBuilder"
$s7 = "new BufferedReader"
$s8 = "readLine()"
filesize < 15KB and 6 of them
$u1 = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36"
$u2 = "Content-Type: application/soap+xml; charset=UTF-8"
$u3 = "/service/soap"
$u4 = "Good Luck :::)"
$s1 = "zimBR"
$s2 = "log10"
$s3 = "mymain"
$s4 = "urn:zimbraAccount"
$s5 = "/service/upload?fmt=extended,raw"
$s6 = "<query>(in:\"inbox\" or in:\"junk\") is:unread</query>"
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 2MB and 1 of ($u*) and 3 of ($s*)
$s1 = "UEsDBAoAAAAAAI8UXFM" // base64 encoded PK/ZIP header
$s2 = "../lib/tomcat/tomcat-postgres.jar"
$s3 = "RunAsManager.exe"
$s4 = "ServiceDesk"
$s5 = "C:\\Users\\pwn\\documents\\visual studio 2015\\Projects\\payloaddll"
$s6 = "CreateMutexA"
$s7 = "cplusplus_me"
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 350KB and 4 of them
$s1 = "org/apache/tomcat/SSLFilter.class"
$s2 = "META-INF/services/javax.servlet.ServletContainerInitializer"
$s3 = "org/apache/tomcat/MainFilterInitializer.class"
uint32(0) == 0x04034B50 and filesize < 50KB and all of them
$s1 = "/mnt/hgfs/CrossC2-2.2"
$s2 = "WHATswrongwithU"
$s3 = "//seed.nkn.org:"
$s4 = "Preylistener"
$s5 = "preyid"
$s6 = "Www-Authenticate"
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 15MB and 4 of them
$k1 = "kdcsvc.dll"
$k2 = "kdccli.dll"
$k3 = "kdcsvs.dll"
$f1 = "KerbHashPasswordEx3"
$f2 = "KerbFreeKey"
$f3 = "KdcVerifyEncryptedTimeStamp"
$s1 = "download//symbols//%S//%S//%S" wide
$s2 = "KDC Service"
$s3 = "\\system.dat"
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize < 1MB and 1 of ($k*) and 1 of ($f*) and 1 of ($s*)
Organizations that identify any activity related to ManageEngine ServiceDesk Plus indicators of compromise within their networks should take action immediately.
Zoho ManageEngine ServiceDesk Plus build 11306, or higher, fixes CVE-2021-44077. ManageEngine initially released a patch for this vulnerability on September 16, 2021. A subsequent security advisory was released on November 22, 2021, and advised customers to patch immediately. Additional information can be found in the Zoho security advisory released on November 22, 2021.
In addition, Zoho has set up a security response plan center that provides additional details, a downloadable tool that can be run on potentially affected systems, and a remediation guide.
FBI and CISA also strongly recommend domain-wide password resets and double Kerberos TGT password resets if any indication is found that the
NTDS.dit file was compromised.
Note: Implementing these password resets should not be taken as a comprehensive mitigation in response to this threat; additional steps may be necessary to regain administrative control of your network. Refer to your specific products mitigation guidance for details.
Actions for Affected Organizations
- Identification of indicators of compromise as outlined above.
- Presence of webshell code on compromised ServiceDesk Plus servers.
- Unauthorized access to or use of accounts.
- Evidence of lateral movement by malicious actors with access to compromised systems.
- Other indicators of unauthorized access or compromise.
Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.
For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:
- The FBI through the FBI Cyber Division (855-292-3937 or CyWatch@fbi.gov) or a local field office
- CISA (888-282-0870 or Central@cisa.dhs.gov).
December 2, 2021: Initial version|December 6, 2021: STIX file added