FBI: Another Zoho ManageEngine Zero-Day Under Active Attack

APT attackers are using a security vulnerability in ManageEngine Desktop Central to take over servers, deliver malware and establish network persistence.

Another Zoho ManageEngine zero-day vulnerability is under active attack from an APT group, this time looking to override legitimate functions of servers running ManageEngine Desktop Central and elevate privileges — with an ultimate goal of dropping malware onto organizations’ networks, the FBI has warned.

APT actors have been exploiting the bug, tracked as CVE-2021-44515, since at least late October, the feds revealed in an FBI Flash alert released last week. There is also evidence to support that it’s being used in an attack chain with two other Zoho bugs that researchers have observed under attack since September, according to the alert.

The latest vulnerability is an authentication-bypass vulnerability in ManageEngine Desktop Central that can allow an attacker to execute arbitrary code in the Desktop Central server, according to a Zoho advisory that addressed the issue, published earlier this month.

Indeed, the feds said they observed APT actors doing exactly that. More specifically, researchers observed attackers “compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users

Read More: https://threatpost.com/zoho-zero-day-manageengine-active-attack/177178/