Rewterz Threat Alert – Donot APT Group – Active IOCs
December 21, 2021Rewterz Threat Alert – PatchWork APT Groups Targeting Pakistani Government Officials – Active Campaign
December 21, 2021Severity
High
Analysis Summary
The CVE-2021-44515 flaw is being exploited since at least October. The security flaw exists in the ManageEngine Desktop Central software, an authentication bypass allows an attacker to execute arbitrary codes on the system in the Desktop Central MSP server.
“Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers.” reads the flash alert published by the FBI. “The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.”
Impact
- Code Execution
- Access Gain
Indicators of Compromise
MD5
- 9809bdf6e9981fbc3ad515b731124342
- 13295e01d1072fe7106291f244f0a39b
SHA-256
- febf7f32fed44a4a58a2e0ea402ea181a0e1a519ea41fab1d4ccfb097c8e538c
- 18ebe6045bedc9ed7cff6e6aae4326b97699eb5bc71f8a514b9e13857edb6a9f
SHA-1
- 7e667d7b1563b31b22c1ab21d92af07b005fdc44
- 27686413fa9c915a1a22ccf52b633898d246587e
Remediation
Visit the website for patches and further information here:
https://www.manageengine.com/products/desktop-central/cve-2021-44515-authentication-bypass-filter-configuration.html
For Enterprise Customers:
For builds 10.1.2127.17 and below, upgrade to 10.1.2127.18
For builds 10.1.2128.0 to 10.1.2137.2, upgrade to 10.1.2137.3
For MSP Customers:
For builds 10.1.2127.17 and below, upgrade to 10.1.2127.18
For builds 10.1.2128.0 to 10.1.2137.2, upgrade to 10.1.2137.3