A critical vulnerability in ManageEngine’s Desktop Central software is under active exploitation, according to the FBI.
The law enforcement agency said in a flash alert Monday that malware operators are exploiting an authentication bypass bug in the IT management platform to first compromise Desktop Central itself, and then download other remote access tools and malware with the eventual goal of moving laterally through the network.
The FBI advised administrators to update their Desktop Central server installations to patch the flaw. Though the bug was disclosed and patched on Dec. 3, the FBI believes it was exploited as a zero-day vulnerability as far back as October.
As its name suggests, Desktop Central is ManageEngine’s platform for interacting with endpoint systems. This allows administrators at large enterprises and managed service providers to remotely manage user PCs. ManageEngine is a division of Indian technology giant Zoho Corp.
According to the FBI document and an advisory from ManageEngine, the flaw is tracked as CVE-2021-44515 and classified as an authentication bypass within Desktop Central API’s URL handling. While normally such bugs are not considered high security risks, in the context of an endpoint management server, this flaw poses a massive threat and has received a critical severity rating.
“An authentication bypass vulnerability in ManageEngine Desktop Central was identified and the vulnerability can allow an adversary to bypass authentication and execute arbitrary code in the Desktop Central server,” ManageEngine explained. “As we are noticing indications of exploitation of this vulnerability, we strongly advise customers to update their installations to the latest build as soon as possible.”
In the threat activity the FBI observed, the unspecified advanced persistent threat (APT) actors used the bug to install a web shell on the server. The APT actors then used the shell to infect the server with other pieces of malware and remote access tools.
“Upon execution, the dropper creates an instance of svchost and injects code with RAT [remote access Trojan]-like functionality that initiates a connection to a command and control server,” the FBI said in its notice.
“Follow-on intrusion activity is then conducted through the RAT, including attempted lateral movement to domain controllers and credential dumping techniques using Mimikatz, comsvcs.dll LSASS process memory dumping, and a WDigest downgrade attack with subsequent LSASS dumping through pwdump.”
Administrators concerned that their networks might have been infiltrated with the bug can use a special detection tool from ManageEngine to check for exploits. Otherwise, updating the server installation of Desktop Central to the latest build will patch up the flaw.