Joint Cybersecurity Advisory: APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI just released a joint cybersecurity advisory highlighting the cyber threat associated with active exploitation of a newly identified vulnerability, tracked as CVE-2021-44077, in Zoho ManageEngine ServiceDesk Plus, an IT help desk software with asset management. According to the report, the CVE-2021-44077 vulnerability is an unauthenticated remote code execution (RCE) vulnerability impacting all ServiceDesk Plus versions up to, and including, version 11305. The FBI and CISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability. An attack successfully leveraging this vulnerability can “upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” according to the advisory.

A patch for this vulnerability was released on September 16, 2021, along with a security advisory. Additionally, the FBI and CISA are aware of threat actors likely abusing this exploit in the wild. The advisory includes further technical details regarding the group’s activity, including indicators of compromise, and lists recommended mitigations. For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, contact CISA at (888) 282-0870, or by email at Ce*****@******hs.gov. Additionally, to report suspicious or criminal activity related to information found in this advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855)-292-3937, or by e-mail at Cy*****@*bi.gov.