The In-house Zoho ServiceDesk Exploit Used to Drop Webshells

You may recall that we reported a while ago that state-backed advanced persistent threat (APT) organizations had been actively exploiting a significant hole in a Zoho single sign-on and password management solution since early August 2021.

What Happened?

As thoroughly reported by BleepingComputer, there is no publicly available proof-of-concept exploit for CVE-2021-44077, implying that the APT group using it created the attack code and is using it solely for the time being.

The actor has been seen leveraging an unauthenticated remote code execution vulnerability in Zoho ServiceDesk Plus versions 11305 and earlier, which is now listed as CVE-2021-44077.

On September 16, 2021, Zoho patched the RCE weakness, and on November 22, 2021, the firm issued a security warning to warn consumers of active exploitation. Users, on the other hand, were sluggish to upgrade and so remained exposed to assaults.

According to a report from Palo Alto Networks’ Unit42, there is no publicly available proof-of-concept exploit for CVE-2021-44077, implying that the APT group using it created the attack code and is using it solely for the time being.

Over the course of three months, a persistent and determined APT actor has launched multiple campaigns which have now resulted in compromises

Read More: https://heimdalsecurity.com/blog/the-in-house-zoho-servicedesk-exploit-used-to-drop-webshells/