Hackers use Zoho ServiceDesk internal exploit to delete webshells

An Advanced Persistent Threat Group (APT) that exploited a flaw in Zoho ManageEngine ADSelfService Plus software rotated to take advantage of a different vulnerability in another Zoho product.

The actor was seen exploiting an unauthenticated remote code execution issue in Zoho ServiceDesk Plus versions 11305 and earlier, currently tracked as CVE-2021-44077.

Timeline of the campaign linked to the same actor
Timeline of the campaign linked to the same actor
Source: Unit42

Zoho fixed the RCE flaw on September 16, 2021, and on November 22, 2021, the company issued a security advisory to alert customers to active exploitation. However, users took a long time to update and remained vulnerable to attacks.

According to a report from Unit42 of Palo Alto Networks, there is no public proof of concept exploit for CVE-2021-44077, which suggests that the APT group using it developed the code for CVE-2021-44077. exploit itself and uses it exclusively for the time being.

Exploit the RCE to remove the ‘Godzilla’ webshell

The actors exploit the flaw by sending two requests to the REST API, one to download an executable (msiexec.exe) and one to launch the payload.

This process is performed remotely and does not require authentication to the vulnerable ServiceDesk server.

When ServiceDesk runs the payload, a mutex is created and a hard-coded Java module is written to “../lib/tomcat/tomcat-postgres.jar”, a variant of the “Godzilla” webshell that is loaded into ServiceDesk after you have killed ‘java .exe’ and restart the process.

According to the researchers, the actor used the same Webshell secret key seen in the ADSelfService Plus campaign, but this time it installs as an Apache Tomcat Java servlet filter.

Actor's Tomcat filter
Actor’s Tomcat filter
Source: Unit42

“Having this Godzilla Webshell installed as a filter means there is no specific URL the actor will send their requests to when interacting with the Webshell and the Godzilla Webshell filter can also bypass it. a security filter present in ServiceDesk Plus to stop access to webshell files “- reads the analysis of Unit42

“It appears the threat actor used publicly available code called tomcat-backdoor to create the filter and then added a modified Godzilla webshell to it,” the researchers note.

Palo Alto Networks has seen evidence that may link these attacks to Chinese group APT27 (Emissary Panda), which has previously deployed Godzilla against high profile targets, but there is insufficient clue for clear attribution.

Organizations are strongly recommended to patch their Zoho software as soon as possible and review all files created in ServiceDesk Plus directories since early October 2021.

Countries where vulnerable software was found
Countries where vulnerable software was found
Source: Unit42

Currently, network scans reveal more than 600 vulnerable systems in the United States and another 2,100 in India, Russia, Britain, Turkey and others.

Many of these vulnerable deployments are found in government systems, universities, healthcare organizations, and other critical entities.

Source link

Steven L. Nielsen