Business software provider Zoho has alerted users to update their installations of Desktop Central and Desktop Central MSP to the latest version available.
This is about a recently identified authentication bypass vulnerability in Desktop Central. This also applies to Desktop Central MSP; the vulnerability, registered as CVE-2021-44515, has now been fixed and released in the latest build on December 3, 2021.
Zoho’s ManageEngine Desktop Central is a management platform that helps administrators automatically deploy patches and software over the network and troubleshoot remotely.
This alert is due to a critical vulnerability (CVE-2021-44515) that could allow an attacker to bypass authentication and execute arbitrary code on an unpatched ManageEngine Desktop Central server. (Desktop Central Cloud is not affected.)
Since there are signs that this vulnerability is being exploited, we strongly recommend that customers update their installations to the latest build as soon as possible
Zoho’s Exploit Detection Tool can be used to determine if this vulnerability has been exploited.
- Download the Exploit Detection Tool and extract it to the ManageEngine\UEMS_CentralServer folder or the ManageEngine\DesktopCentral_Server folder.
- Start a command prompt with administrator privileges and navigate to either “ManageEngine\UEMS_CentralServer” or “ManageEngine\DesktopCentral_Server”.
- Run the command RCEScan.bat.
- If your installation is affected, you will see the message “Compromised”. If the installation is not affected, the message “Not Compromised” will be displayed.
If you are affected, we recommend backing up critical business data on the affected system by disconnecting it from the network, formatting the compromised server, restoring Desktop Central, and updating to the latest build once the installation is complete.
In addition, if any signs of compromise are found, it is recommended to “reset passwords for all services, accounts, Active Directory, etc. accessed from the machine on which the service is installed” along with the Active Directory administrator password. This is recommended.
A search on Shodan revealed over 3,200 instances of ManageEngine Desktop Central running on various ports and exposed to attacks.
Continuous Targeting of Zoho ManageEngine
This is not the first time that Zoho ManageEngine servers have been the target of attacks, especially the Desktop Central instance, which has been hacked since at least July 2020 and access to the compromised network has been sold on hacking forums. It appears to have been sold on hacking forums.
According to KELA, the cyber intelligence firm that discovered the attackers behind these offers, they are selling network access to companies around the world, commenting that they have access to other companies in the US, UK, Spain and Brazil.
More recently, between August and October 2021, Zoho ManageEngine products were targeted by nation-state hackers using tactics and tools similar to those used by the China-backed hacking group APT27.
The attackers, in three different campaigns using zero-day exploits of ADSelfService from early August to mid-September, n-day exploits of AdSelfService from late October, and exploits of ServiceDesk from October 25 The breaches focused on the networks of critical infrastructure organizations around the world.
After these attacks, the FBI and CISA issued an advisory warning that APT was exploiting a vulnerability in ManageEngine to drop a web shell on the networks of critical infrastructure organizations in the healthcare, financial services, electronics, and IT consulting industries. The advisory warns that APT is dropping web shells into the networks of critical infrastructure organizations in the healthcare, financial services, electronics and IT consulting industries.
The two U.S. federal agencies also said that it is difficult to confirm a successful compromise in these attacks because “attackers have been known to execute cleanup scripts designed to remove traces of the initial compromise point and hide the relationship between the exploit and the web shell.” It is difficult to verify a successful compromise in these attacks,” he said.
Translated with www.DeepL.com/Translator (free version)
Comments