Zoho Zero-Day Exploited by State Threat Actors Since October, FBI Says

According to a flash alert published by the Federal Bureau of Investigation (FBI) on the 17th of December, state-backed cybercriminals groups are actively exploiting a Zoho zero-day since the month of October. The vulnerability is located in the ManageEngine Desktop Central of Zoho and it seems that it has been of interest for Advanced Persistent Threat (APT) groups for a while.

Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers. The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.


About the Zoho Zero-Day

As mentioned earlier, the Zoho zero-day was classified as CVE-2021-44515 and stands for an authentication bypass flaw that allows threat actors to perform arbitrary code execution on Zoho’s Desktop Central servers. The vulnerability received a patch from Zoho at the beginning of December.

As Shodan’s data indicates over 2900 instances of the ManageEngine Desktop Central seem to be vulnerable to potential cyberattacks.

After the patch was released, the company also advised customers to deploy

Read More: https://heimdalsecurity.com/blog/zoho-zero-day-exploited-by-state-threat-actors-since-october-according-to-fbi/