3rd Party Risk Management , Application Security , Cybercrime

Nation-States Exploiting Critical Flaw in Zoho UEM

FBI Urges Users to Patch Flaw in Unified Endpoint Management System Immediately
Nation-States Exploiting Critical Flaw in Zoho UEM
Zoho Corp. headquarters in Chennai, India (Photo: Wikimedia Commons)

As the Log4j vulnerability continues to garner attention, a new zero-day vulnerability found in Zoho Corp.'s widely used unified endpoint management tool, ManageEngine Desktop Central - now tracked as CVE-2021-44515 - is being actively exploited by nation-state actors in the wild, according to the FBI.

See Also: How to Build Your Cyber Recovery Playbook

The authentication bypass vulnerability, which has a critical score of 9.8 out of 10, gives advanced persistent threat actors the ability to compromise servers, drop a web shell that overrides a legitimate function of the software, and dump credentials, the FBI says.

The agency says attacks stemming from this vulnerability have been taking place since at least October.

According to the FBI, attackers have been using the API URL "/fos/statuscheck" to send requests from external IP addresses, a legitimate yet rarely used Desktop Central function. Typically, communications are only from other Desktop Central servers. The FBI advises investigating any requests that were sent from external users between October and December 2021, as they are a telltale sign of compromise.

Other tactics, techniques, and procedures outlined by the FBI as used by nation-states to exploit this vulnerability include:

  • Dynamic link library, or DLL, sideloading;
  • Network scanning;
  • Command interjection with Microsoft PowerShell;
  • Downloading post-exploitation tools;
  • Creating backdoor persistence through Windows;
  • Credential dumping.

"Organizations that identify any activity related to these IOCs within their networks should take action immediately," the FBI says. It also encourages organizations to report incidents related to the vulnerability to law enforcement agencies.

The U.S. Cybersecurity and Infrastructure Security Agency added this vulnerability to its Known Exploited Vulnerabilities Catalog in early December and set the remediation date for Friday.

'A Regular Target'

Zoho Corp. - an India-based company that designs web-based tools for businesses - has a history of being victimized by attackers, with reports beginning in 2020. Techniques leveraged with CVE-2021-44515 are similar to those deployed by Chinese hacking group APT27, Bleeping Computer reports.

In September, the FBI, CISA and the U.S. Coast Guard released a joint statement advising of another critical vulnerability in Zoho's products. In this instance, nation-states were leveraging a bypass authentication vulnerability tracked as CVE-2021-40539 to successfully launch attack campaigns.

The Australian Cyber Security Center reported similar findings in relation to Zoho's software flaw (see: Australia Warns of Critical Vulnerability in Zoho Service).

Zoho Corp. powers some 180,000 IT teams worldwide, including defense contractors for the federal government such as Raytheon, Boeing and Northrup Grumman. The company also provides custom software builds for the U.S. Navy and Marine Corps., according to its official website.

Karim Hijazi, CEO of Prevailion, a cyberthreat intelligence company, tells ISMG, "Zoho ManageEngine has been a regular target for APTs," He says ManageEngine Desktop Central allows for the management and control of computer networks as well as remote access to computer networks, and this is why it is especially vulnerable to APTs.

Evolution of Zoho Flaw

Some experts predict that this flaw, if not patched, could be the gateway to another supply chain attack with SolarWinds or Kaseya potential. Both U.S. software developers were victimized by notorious Russia-linked ransomware groups - Nobelium and REvil, respectively.

SolarWinds and Kaseya are notable for the scope of victims, including five U.S. government agencies, major technology organizations, and critical infrastructure. SolarWinds, in particular, has been considered by many the worst cyberattack to date (see: SolarWinds Supply Chain Hit: Victims Include Cisco, Intel).

The Zoho flaw could even follow a trajectory similar to Log4j.

"In the hands of a threat actor, this represents the perfect 'one to many' lateral movement opportunity," Hijazi says. He predicts that the ability to deploy web shells after the initial exploitation could pose "a formidable challenge similar to the vector witnessed with Log4j2."

Other experts agree that the vulnerability can prove damaging.

Chris Pierson, a former member of the U.S. Department of Homeland Security's Cybersecurity Committee, says that once an adversary has a foothold in the environment, they can drop tools that allow for more exploitation, navigate laterally around the company's systems, find a way to achieve constant persistence, and eventually exfiltrate information and data.

And Randy Pargman, who formerly served on the FBI's Cyber Task Force in Seattle, says actors exploiting this vulnerability will use it "to steal sensitive documents, or launch ransomware, or both" until organizations have effectively patched affected software.

"Managing large fleets of desktop and mobile devices is a common business need, so this will probably affect many sectors," says Pargman, who is vice president of threat hunting and counterintelligence at the firm Binary Defense.

Effective Mitigation

The FBI has released detection strategies and recommendations for mitigating the risks of the Desktop Central vulnerability with step-by-step instructions to follow Zoho's incident response plan.

Zoho outlines the incident response plan in five steps:

  1. Disconnect an infected system from the network.
  2. Back up the Desktop Central database.
  3. Format the compromised machine after backing up critical data.
  4. Restore Desktop Central using the build version from the back-up database in step 2.
  5. Complete software updates for the applicable version

Zoho also recommends completing a password reset for all users that had access to the infected device, including admin passwords.

Pierson, who is currently the CEO of the cybersecurity firm BlackCloak, says that in updating to ManageEngine's latest version, organizations should limit internal access to systems that must communicate with compromised devices in advance of starting internal threat hunting practices.

Security practitioners can start by checking the latest version of Desktop Central, ensure the latest patches have been installed, and then look closely at the patched servers to determine if they were attacked, Pargman says.

In addition to following FBI guidance, he also recommends advising security teams to use event logs and an endpoint detection and response, or EDR, tool connected to a central server where an attacker cannot delete the logs.

Hijazi recommends downloading ManageEngine's exploit detection tool.

About the Author

Devon Warren-Kachelein

Devon Warren-Kachelein

Former Staff Writer, ISMG

Warren-Kachelein began her information security journey as a multimedia journalist for SecureWorld, a Portland, Oregon-based cybersecurity events and media group. There she covered topics ranging from government policy to nation-states, as well as topics related to diversity and security awareness. She began her career reporting news for a Southern California-based paper called The Log and also contributed to tech media company Digital Trends.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.