Detecting CVE-2021-44515: Zero-Day in Zoho ManageEngine Desktop Central
Table of contents:
Stay alert! Threat actors are actively leveraging the new zero-day vulnerability (CVE-2021-44515) in Zoho ManageEngine Desktop Central products to attack businesses worldwide. The flaw is a critical authentication bypass issue that enables hackers to gain unauthorized access and execute arbitrary code on vulnerable servers.
CVE-2021-44515 Description
Zoho ManageEngine Desktop Central is a widely-used management utility applied by administrators for automated software deployment and remote troubleshooting over the whole network.
On December 3, 2021, Zoho announced the presence of the critical zero-day alongside pushing the patch and providing the mitigation steps. According to Zoho, the flaw affects its Manage Engine Desktop Central and Desktop Central MSP allowing adversaries to gain unauthorized access to the installation and send a specially crafted request resulting in remote code execution on the Desktop Central MSP servers.
A quick Shodan search shows more than 3,200 ManageEngine Desktop Central installations being vulnerable to attacks. As details of the flaw have been made public, hackers are actively leveraging the Zoho ManageEngine bug exploit in the wild.
CVE-2021-44515 is the third vulnerability in a span of four months to be actively exploited by adversaries. It makes a killer trio with ADSelfService zero-day exploit (CVE-2021-40539) and a critical ServiceDesk flaw (CVE-2021-44077) leveraged by multiple state-sponsored actors for intrusions throughout August-October 2021. Moreover, last week, CISA issued an alert for CVE-2021-44077 informing that APT actors weaponized the bug to drop web shells and perform a broad amount of post-exploitation routines in the course of the “TitledTemple” campaign.
CVE-2021-44515 Detection and Mitigation
Zoho has issued the CVE-2021-44515: Security Advisory where they introduce the Exploit Detection Tool enabling organizations to identify whether their installation has been affected by the authentication bypass vulnerability. The Security Advisory also covers the incident response plan followed by recommendations on how to act to minimize the risks once affected by the vulnerability.
To help organizations better protect their infrastructure, the SOC Prime Team has recently developed the dedicated Sigma-based rule allowing security professionals to assess attempts to exploit this notorious zero-day vulnerability in Zoho ManageEngine products. Security teams can download the rule from SOC Prime’s Detection as Code platform:
Possible Zoho Desktop Central [CVE-2021-44515] Exploitation Patterns (via file_event)
This detection has translations for the following SIEM, EDR & XDR platforms: Azure Sentinel, Splunk, Chronicle Security, ELK Stack, Sumo Logic, ArcSight, QRadar, Humio, FireEye, Microsoft Defender ATP, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix, and Open Distro.
The rule is aligned with the latest MITRE ATT&CK® framework v.10 addressing the Initial Access tactic with Exploit Public-Facing Application as the main technique (T1190).
Also, security professionals can identify the malicious activity associated with ADSelfService zero-day exploit (CVE-2021-40539) by downloading a batch of curated content available in the Threat Detection Marketplace repository powered by SOC Prime’s platform.
Join SOC Prime’s Detection as Code platform for free to search for the latest threats in your SIEM or XDR environment, improve your threat coverage by reaching the most relevant content aligned with the MITRE ATT&CK matrix, and overall, boost the organization’s cyber defense capabilities. Are you a content author? Tap into the power of the world’s largest cyber defense community by joining the SOC Prime Threat Bounty program, where researchers can monetize their own detection content.