A threat actor has launched an attack campaign against organizations running ManageEngine ServiceDesk Plus help desk and asset management software, according to Palo Alto Networks. The targeted software is popular both with MSPs and corporate IT departments.
There are over 4,700 internet-facing instances of ServiceDesk Plus globally, Palo Alto Networks indicated. Approximately 2,900 of these instances may be vulnerable to the threat actor campaign.
A Closer Look at the ServiceDesk Plus Attack Campaign
Palo Alto Networks in November 2021 reported a threat actor was targeting ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution (SSO) solution. Following its initial report, Palo Alto Networks found that this threat actor expanded its focus to ServiceDesk Plus and other vulnerable software.
The threat actor attacked several organizations running ServiceDesk Plus between Oct. 25 and Nov. 8, 2021, Palo Alto Networks noted. This actor exploited a ServiceDesk Plus vulnerability to upload a dropper to victims' systems. The dropper would deploy a Godzilla webshell and provide the actor with access to compromised systems.
At least 13 organizations across the technology, energy, healthcare, education, finance and defense industries have been compromised due to the threat actor, Palo Alto Networks stated. At least two of these organizations were compromised via ServiceDesk Plus.
On Nov. 22, 2021, Zoho, which owns ManageEngine, released an advisory about a security vulnerability. In the advisory, Zoho indicated that the vulnerability impacted ServiceDesk Plus versions 11305 and below. Additional details from a CISA and FBI alert are here.
To date, Zoho has been unable to identify any publicly available proof of concept code for the ServiceDesk Plus vulnerability, the company said. However, Zoho confirmed a threat actor has determined how to exploit unpatched versions of ServiceDesk Plus.
How to Protect Against the ServiceDesk Plus Attack Campaign
Palo Alto Networks recommended ServiceDesk Plus users apply the latest software patches and upgrades. It also is urging these users to review all files that have been created in ServiceDesk Plus directories since early October 2021.
Furthermore, Palo Alto Networks has shared its ServiceDesk Plus attack campaign findings with other Cyber Threat Alliance (CTA) members. It will continue to work with CTA members to explore ways to help organizations guard against the ServiceDesk Plus campaign and other cyber threats.