The FBI’s cyber division has issued an alert warning enterprises using Zoho-owned ManageEngine’s Desktop Central that advanced attackers have been exploiting a flaw to install malware since late October.
While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.
Zoho released a patch for an authentication bypass flaw CVE-2021-44515 on December 3, warning at the time that it had seen “indications of exploitation” and urged customers to update immediately.
Zoho didn’t provide further details of the attacks at the time, which occurred after activity this year targeting previously patched flaws in ManageEngine products that are tracked as CVE-2021-40539 and CVE-2021-44077. However, the FBI says in the new alert that advanced persistent threat (APT) actors have been exploiting CVE-2021-44515 since at least October 2021.
“Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers,” the FBI alert said.
Microsoft has previously attributed some of the earlier activity to a Chinese hacker group that was installing web shells on compromised servers to gain persistence on compromised servers. The flaws affected IT management products used by end-user organizations and managed service providers.
The FBI now says it observed APT actors compromising Desktop Central servers using the flaw, now known as CVE-2021-44515 to drop a webshell that overrides a legitimate function of Desktop Central.
The attackers then downloaded post-exploitation tools, enumerated domain users and groups, conducted network reconnaissance, attempted lateral movement across the network and dumped credentials.
ManageEngine is the enterprise IT management software division of Zoho, a company well known for its software-as-a-service products.
The flaw affects Desktop Central software for both enterprise customers and the version for managed service provider (MSP) customers.
The FBI has filled in some details about how attackers are abusing the flaw after obtaining samples that were downloaded from likely compromised