On December 6, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) updated a previously issued Alert entitled APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus. According to the Alert, the newly-identified vulnerability is being actively exploited by advanced persistent threat actors and is considered critical.
The vulnerability allows threat actors to gain access to the ManageEngine ServiceDesk Plus product and to “upload executable files and place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.”
Even though Zoho issued a patch and security advisory in September 2021 for the vulnerability, it released another advisory on November 22, 2021, urging its customers to apply the patch immediately.
For more information on the indicators of compromise, the Alert can be accessed here.