APT Actors Exploiting Zoho ManageEngine ServiceDesk
- Date: December 30th 2021
- TLP: White
- Risk: Critical
- Vulnerability: CVE-2021-44077
The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are working together to identify and mitigate the threat posed by advanced persistent threat actors exploiting a vulnerability in Zoho ManageEngine ServiceDesk Plus. This has been reported at the beginning of December and continues to be a targeted attack. ServiceDesk can be publically published can present unnecessary risk to an organization, where patches should be applied to prevent further exposure. I regularly monitor the latest trends and IOC’s and noticed new updates from the original story made by OTX a few days ago.
https://otx.alienvault.com/pulse/61cc4e3dd0b7ff78f984945b
ServiceDesk Service Hardening
- Apply Latest Patches
- Next Generation Firewall (Fortinet / Palo Alto) with IPS Prevention
- Suricate or Snort Sensor
- Web Application Firewall
- Multifactor Authentication
- Remove External Access? Always on VPN
MALWARE FAMILY:Godzilla JAR
ATT&CK IDS:
- T1566 – Phishing, T1003 – OS Credential Dumping,
- T1027 – Obfuscated Files or Information
- T1047 – Windows Management Instrumentation
- T1070 – Indicator Removal on Host, T1087 – Account Discovery
- T1136 – Create Account, T1140 – Deobfuscate/Decode Files or Information
- T1190 – Exploit Public-Facing Application
- T1218 – Signed Binary Proxy Execution
- T1505 – Server Software Component
- T1560 – Archive Collected Data
- T1573 – Encrypted Channel
REFERENCE:
- https://www.cisa.gov/uscert/ncas/alerts/aa21-336a
- https://otx.alienvault.com/pulse/61cc4e3dd0b7ff78f984945b