EXECUTIVE SUMMARY:

Zero-day threats mean that security practitioners need to stay current, and continually obtain patches for emerging issues. Earlier this month, the Log4j vulnerability caught organizations off-guard. More recently, the US’ Federal Bureau of Investigation released information concerning a Zoho zero-day exploit. 

What to know

The FBI’s flash alert indicates that cyber criminals are actively exploiting a Zoho zero-day vulnerability. Data suggests that more than 2,900 instances of the ManageEngine Desktop Central appear vulnerable to potential attacks

The hackers’ activities have persisted since late October. The vulnerability resides in the ManageEngine Desktop Central of Zoho. Advanced Persistent Attack sophistication shows that threat groups contemplated use of the vulnerability for quite some time. 

Why it matters

Advanced persistent threat actors who weaponize this exploit could take over servers, download post-exploitation tools, conduct network reconnaissance, deliver malware, or simply linger in systems for months on end. Evidence also suggests that this bug advances an attack chain that relies on two additional Zoho bugs. 

Technical details…

Advanced persistent threat actors have compromised Desktop Central servers, dropping a webshell that overrides a legitimate behavior within Desktop Central. In turn, criminals have been able to download post-exploitation tools, enumerate domain users and groups, conduct network espionage, attempt lateral movement, and dump credentials. 

Patching

Zoho has since released a patch for the flaw. “As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible,” stated Zoho.

Customers wondering about victimization can use the Exploit Detection Tool provided by Zoho. At-risk organizations can also review the FBI’s Flash Alert to evaluate indicators of compromise

The Cybersecurity and Infrastructure Security Agency (CISA) added the CVE (CVE-2021-44515) to its Known Exploited Vulnerabilities Catalog. In the US, mandates have gone out to federal agencies requiring patches by December 25th. 

Past attacks: Zoho flaws

In September, another Zoho flaw received CISA classification. It resided within the ADSelfService Plus software of the Zoho ManageEngine. Ultimately, a patch was released. However, if exploited, a hacker could have led a complete system takeover.

Reports indicate that threat actors attempted to conduct related attacks within critical infrastructure organizations worldwide.

Long-term strategy

The year 2021 has proven record-breaking when it comes to zero-day threats, with more than 65 threats in use worldwide. If that number sounds small, recall that a single zero day threat can affect hundreds or thousands of organizations.

Identifying and mitigating zero day threats can prove challenging. 

  •  Implement evasion-resistant technology; maximizing zero-day protection without compromising on business productivity. 
  • Premium threat intelligence tools can provide information about the speed and volume of modern attack campaigns, helping your organization block attacks before they can succeed. 
  • Threat emulation and extraction tools can detect malware ahead of system delivery or execution. 
  • Tools that recognize past malware attack types and that can leverage machine learning to identify new zero-day threats can also help prevent attacks. 
  • Switching from stand-alone security solutions to comprehensive, single-pane-of-glass, consolidated security platforms provides security personnel with clear visibility around critical alerts and related management mechanisms.

    Unified, automated responses across an organization’s infrastructure can significantly improve outcomes related to zero-day attack campaigns.

For more information about protecting your organization from zero-day threats, see this Endpoint Security Buyer’s Guide.

Lastly, to learn more about managing cyber risk in a rapidly changing world, please join us at the premiere cyber security event of the year – CPX 360 2022. Register here.

RELATED ARTICLESMORE FROM AUTHOR