APT Actors Exploiting Zoho ManageEngine ServiceDesk

  • Date: December 30th 2021
  • TLP:  White
  • Risk: Critical
  • Vulnerability: CVE-2021-44077

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are working together to identify and mitigate the threat posed by advanced persistent threat actors exploiting a vulnerability in Zoho ManageEngine ServiceDesk Plus. This has been reported at the beginning of December and continues to be a targeted attack. ServiceDesk can be publically published can present unnecessary risk to an organization, where patches should be applied to prevent further exposure. I regularly monitor the latest trends and IOC’s and noticed new updates from the original story made by OTX a few days ago.


ServiceDesk Service Hardening

  • Apply Latest Patches
  • Next Generation Firewall (Fortinet / Palo Alto) with IPS Prevention
  • Suricate or Snort Sensor
  • Web Application Firewall
  • Multifactor Authentication
  • Remove External Access? Always on VPN



  • T1566 – Phishing, T1003 – OS Credential Dumping, 
  • T1027 – Obfuscated Files or Information 
  • T1047 – Windows Management Instrumentation
  • T1070 – Indicator Removal on Host, T1087 – Account Discovery
  • T1136 – Create Account, T1140 – Deobfuscate/Decode Files or Information
  • T1190 – Exploit Public-Facing Application
  • T1218 – Signed Binary Proxy Execution
  • T1505 – Server Software Component
  • T1560 – Archive Collected Data
  • T1573 – Encrypted Channel