Rewterz Threat Advisory – Zoho Zero-Day CVE-2021-44515 Exploited by Nation-State Actors

Severity

High

Analysis Summary

The CVE-2021-44515 flaw is being exploited since at least October. The security flaw exists in the ManageEngine Desktop Central software, an authentication bypass allows an attacker to execute arbitrary codes on the system in the Desktop Central MSP server.

“Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers.” reads the flash alert published by the FBI. “The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.”

Impact

• Code Execution
• Access Gain

Indicators of Compromise

MD5

• 9809bdf6e9981fbc3ad515b731124342
• 13295e01d1072fe7106291f244f0a39b

SHA-256

• febf7f32fed44a4a58a2e0ea402ea181a0e1a519ea41fab1d4ccfb097c8e538c
• 18ebe6045bedc9ed7cff6e6aae4326b97699eb5bc71f8a514b9e13857edb6a9f

SHA-1

• 7e667d7b1563b31b22c1ab21d92af07b005fdc44
• 27686413fa9c915a1a22ccf52b633898d246587e

Remediation

Visit the website for patches and further information here:
https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html
For Enterprise Customers:
For builds 10.1.2127.17 and below, upgrade to 10.1.2127.18
For builds 10.1.2128.0 to 10.1.2137.2, upgrade to 10.1.2137.3
For MSP Customers:
For builds 10.1.2127.17 and below, upgrade to 10.1.2127.18
For builds 10.1.2128.0 to 10.1.2137.2, upgrade to 10.1.2137.3