The FBI has issued an advisory regarding a vulnerability in the Zoho ManageEngine Desktop Central that is being actively exploited by advanced cyberattackers. According to the warning, the flaw has been exploited to install malware since late October. Zoho released a patch for the vulnerability, tracked as CVE-2021-44515, on December 3. Zoho also confirmed reports that the flaw was being exploited and urged customers to update the software immediately to mitigate further risks of attack. At the time, Zoho did not provide further details of the attacks. However, the FBI has now confirmed that advanced persistent threat actors have been exploiting the zero-day vulnerability that allows for authentication bypass.
Microsoft has attributed some of the earlier exploits to a Chinese-speaking hacker group that was installing web shells on compromised servers. The web shells allowed the threat group to gain persistence on affected servers. The flaws affected IT products used by a range of organizations and service providers. According to the latest FBI warning, the APT actors leveraging the zero-day are distributing a webshell that effective overrides a legitimate function of the Desktop Central. The FBI stated that attackers then download post-exploitation tools, enumerated domain users, conducted network reconnaissance, and attempted later movement across networks.
Read More: FBI says hackers are actively exploiting this flaw on ManageEngine Desktop Central servers
