Zoho ManageEngine ServiceDesk Plus Vulnerability Detection and Mitigation

Zoho ManageEngine ServiceDesk Plus Exploit Detection

Security researchers warn that hackers continue to exploit Zoho ManageEngine ServiceDesk Plus (SDP) vulnerability in the wild. Despite the patch released in Q1 2019, many instances remain vulnerable, allowing adversaries to deploy web shell malware and compromise targeted networks.

CVE-2019-8394 Analysis

The vulnerability (CVE-2019–8394) was disclosed on February 18, 2019, and immediately exploited by threat actors to advantage their malicious capabilities. The bug occurs due to insufficient sanitizing of user-supplied inputs in the app while handling a crafted SMTP request. As a result, an attacker might utilize the flaw to upload a web shell content to the server and perform code execution. The exploitation routine of the flaw presumes the fraudsters need to acquire minimum permissions on the network, for example, via guest credentials. Further, the authenticated actor might upload a web shell and execute arbitrary system commands, generally delivered over HTTPS. In fact, the malicious web shell acts as a backdoor and might reroute hackers to other networks to expand the scale of compromise. According to the U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) joint report, adversaries use web shell malware on the common ground to perform network intrusions and achieve persistent access. Consequently, CVE-2019–8394 flaw becomes one of the top exploits for such types of attacks.

Detection and Mitigation Actions

The vulnerability affects Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012, so make sure you’ve upgraded your software to the patched version. Also, you might consider the advisory developed by ASD and NSA to mitigate the threat associated with the web shell malware. 

To get the most relevant SOC content for CVE-2019–8394 we encourage you to subscribe to the Threat Detection Marketplace. Check the latest Sigma rule from Sittikorn Sangrattanapitak for the exploit proactive detection:

https://tdm.socprime.com/tdm/info/Cwy184Jxm6fw/YDVRdnYBmo5uvpkjCPTv/

The rule has translations for the following platforms:

SIEM: QRadar, Splunk, Sumo Logic, LogPoint, RSA NetWitness

NTA: Corelight

MITRE ATT&CK:

Tactics: Persistence

Technique: Server Software Component (T1505)

SOC Prime Threat Detection Marketplace contains over 81,000+ SOC content items applicable to the majority of SIEM and EDR solutions. Get a free subscription to Threat Detection Marketplace and discover the most relevant curated content tagged with particular CVE, TTPs used by APT groups, and multiple MITRE ATT&CK® parameters. Enjoy coding and want to make the cyber community safer? Don’t hesitate to join our Threat Bounty Program and help us to expand the horizons in cyber threat detection.