www.techtosee.com
Open in
urlscan Pro
2606:4700:3031::6815:24ba
Public Scan
URL:
https://www.techtosee.com/hackers-use-zoho-servicedesk-internal-exploit-to-delete-webshells/
Submission: On December 13 via api from US — Scanned from DE
Submission: On December 13 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
GET https://www.techtosee.com/
<form method="get" class="td-search-form" action="https://www.techtosee.com/">
<div class="td-search-close">
<a href="#"><i class="td-icon-close-mobile"></i></a>
</div>
<div role="search" class="td-search-input">
<span>Search</span>
<input id="td-header-search-mob" type="text" value="" name="s" autocomplete="off">
</div>
</form>GET https://www.techtosee.com/
<form method="get" class="tdb-search-form" action="https://www.techtosee.com/">
<div role="search" class="tdb-search-form-inner"><input id="tdb-search-form-input" class="tdb-search-form-input" type="text" value="" name="s">
<div class="tdb-search-form-border"></div><label for="tdb-search-form-input" class="tdb-search-form-placeholder">What are you searching for?</label><button class="wpb_button wpb_btn-inverse tdb-search-form-btn" aria-label="Search"
type="submit"><i class="tdb-search-form-btn-icon td-icon-search"></i></button>
</div>
</form>POST #
<form action="#" method="post">
<div class="td-login-inputs"><input class="td-login-input" autocomplete="username" type="text" name="login_email" id="login_email" value="" required=""><label for="login_email">your username</label></div>
<div class="td-login-inputs"><input class="td-login-input" autocomplete="current-password" type="password" name="login_pass" id="login_pass" value="" required=""><label for="login_pass">your password</label></div>
<input type="button" name="login_button" id="login_button" class="wpb_button btn td-login-button" value="Login">
</form>POST https://www.techtosee.com/wp-comments-post.php
<form action="https://www.techtosee.com/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
<div class="clearfix"></div>
<div class="comment-form-input-wrap td-form-comment"><textarea autocomplete="new-password" placeholder="Comment:" id="comment" name="dfe98d1c8e" cols="45" rows="8" aria-required="true"></textarea><textarea id="a512803d8d39eee9e34f70e14dc91397"
aria-hidden="true" name="comment" autocomplete="new-password"
style="padding:0 !important;clip:rect(1px, 1px, 1px, 1px) !important;position:absolute !important;white-space:nowrap !important;height:1px !important;width:1px !important;overflow:hidden !important;" tabindex="-1"></textarea>
<script data-noptimize="" type="text/javascript">
document.getElementById("comment").setAttribute("id", "a512803d8d39eee9e34f70e14dc91397");
document.getElementById("dfe98d1c8e").setAttribute("id", "comment")
</script> <label for="comment" class="is-visually-hidden">Comment:</label>
<div class="td-warning-comment">Please enter your comment!</div>
</div>
<div class="comment-form-input-wrap td-form-author">
<input class="" id="author" name="author" placeholder="Name:" type="text" value="" size="30">
<label for="author" class="is-visually-hidden">Name:</label>
<div class="td-warning-author">Please enter your name here</div>
</div>
<div class="comment-form-input-wrap td-form-email">
<input class="" id="email" name="email" placeholder="Email:" type="text" value="" size="30">
<label for="email" class="is-visually-hidden">Email:</label>
<div class="td-warning-email-error">You have entered an incorrect email address!</div>
<div class="td-warning-email">Please enter your email address here</div>
</div>
<p class="comment-form-cookies-consent">
<input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes">
<label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time I comment.</label>
</p>
<p class="comment-subscription-form"><input type="checkbox" name="subscribe_comments" id="subscribe_comments" value="subscribe" style="width: auto; -moz-appearance: checkbox; -webkit-appearance: checkbox;"> <label class="subscribe-label"
id="subscribe-label" for="subscribe_comments">Notify me of follow-up comments by email.</label></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="68048" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
</form>Text Content
* Latest * Popular * Science * Top stories * How To * Reviews * Best * Cars * Xbox * iPhone 13 * 2021 * Phone Search * Latest * Popular * Science * Top stories * How To * Reviews * Best * Cars * Xbox * iPhone 13 * 2021 * Phone TechToSee English Afrikaans Shqip አማርኛ العربية Հայերեն Azərbaycan dili Euskara Беларуская мова বাংলা Bosanski Български Català Cebuano Chichewa 简体中文 繁體中文 Corsu Hrvatski Čeština Dansk Nederlands English Esperanto Eesti Filipino Suomi Français Frysk Galego ქართული Deutsch Ελληνικά ગુજરાતી Kreyol ayisyen Harshen Hausa Ōlelo Hawaiʻi עִבְרִית हिन्दी Hmong Magyar Íslenska Igbo Bahasa Indonesia Gaelige Italiano 日本語 Basa Jawa ಕನ್ನಡ Қазақ тілі ភាសាខ្មែរ 한국어 كوردی Кыргызча ພາສາລາວ Latin Latviešu valoda Lietuvių kalba Lëtzebuergesch Македонски јазик Malagasy Bahasa Melayu മലയാളം Maltese Te Reo Māori मराठी Монгол ဗမာစာ नेपाली Norsk bokmål پښتو فارسی Polski Português ਪੰਜਾਬੀ Română Русский Samoan Gàidhlig Српски језик Sesotho Shona سنڌي සිංහල Slovenčina Slovenščina Afsoomaali Español Basa Sunda Kiswahili Svenska Тоҷикӣ தமிழ் తెలుగు ไทย Türkçe Українська اردو O‘zbekcha Tiếng Việt Cymraeg isiXhosa יידיש Yorùbá Zulu Sprache auswählenDeutschAfrikaansAlbanischAmharischArabischArmenischAserbaidschanischBaskischBelarussischBengalischBirmanischBosnischBulgarischCebuanoChichewaChinesisch (traditionell)Chinesisch (vereinfacht)DänischEsperantoEstnischFilipinoFinnischFranzösischFriesischGalizischGeorgischGriechischGujaratiHaitianischHausaHawaiischHebräischHindiHmongIgboIndonesischIrischIsländischItalienischJapanischJavanischJiddischKannadaKasachischKatalanischKhmerKinyarwandaKirgisischKoreanischKorsischKroatischKurdisch (Kurmandschi)LaoLateinischLettischLitauischLuxemburgischMalagasyMalayalamMalaysischMaltesischMaoriMarathiMazedonischMongolischNepalesischNiederländischNorwegischOdia (Oriya)PaschtuPersischPolnischPortugiesischPunjabiRumänischRussischSamoanischSchottisch-GälischSchwedischSerbischSesothoShonaSindhiSinghalesischSlowakischSlowenischSomaliSpanischSuaheliSundanesischTadschikischTamilTatarischTeluguThailändischTschechischTürkischTurkmenischUigurischUkrainischUngarischUrduUsbekischVietnamesischWalisischXhosaYorubaZulu Powered by Google Übersetzer TechToSee What are you searching for? English Afrikaans Shqip አማርኛ العربية Հայերեն Azərbaycan dili Euskara Беларуская мова বাংলা Bosanski Български Català Cebuano Chichewa 简体中文 繁體中文 Corsu Hrvatski Čeština Dansk Nederlands English Esperanto Eesti Filipino Suomi Français Frysk Galego ქართული Deutsch Ελληνικά ગુજરાતી Kreyol ayisyen Harshen Hausa Ōlelo Hawaiʻi עִבְרִית हिन्दी Hmong Magyar Íslenska Igbo Bahasa Indonesia Gaelige Italiano 日本語 Basa Jawa ಕನ್ನಡ Қазақ тілі ភាសាខ្មែរ 한국어 كوردی Кыргызча ພາສາລາວ Latin Latviešu valoda Lietuvių kalba Lëtzebuergesch Македонски јазик Malagasy Bahasa Melayu മലയാളം Maltese Te Reo Māori मराठी Монгол ဗမာစာ नेपाली Norsk bokmål پښتو فارسی Polski Português ਪੰਜਾਬੀ Română Русский Samoan Gàidhlig Српски језик Sesotho Shona سنڌي සිංහල Slovenčina Slovenščina Afsoomaali Español Basa Sunda Kiswahili Svenska Тоҷикӣ தமிழ் తెలుగు ไทย Türkçe Українська اردو O‘zbekcha Tiếng Việt Cymraeg isiXhosa יידיש Yorùbá Zulu * Latest * Popular * Science * Top stories * How To * Reviews * Best * Cars * Xbox * iPhone 13 * 2021 * Phone Sign in Welcome! Log into your account your username your password Forgot your password? Get help Create an account Privacy Policy Create an account Welcome! Register for an account your email your username A password will be e-mailed to you. Privacy Policy Password recovery Recover your password your email A password will be e-mailed to you. Home » Hackers use Zoho ServiceDesk internal exploit to delete webshells HACKERS USE ZOHO SERVICEDESK INTERNAL EXPLOIT TO DELETE WEBSHELLS December 2, 2021 Share Facebook Twitter Pinterest WhatsApp Linkedin ReddIt Email Print Tumblr LINE Viber Telegram Mix VK Digg Naver An Advanced Persistent Threat Group (APT) that exploited a flaw in Zoho ManageEngine ADSelfService Plus software rotated to take advantage of a different vulnerability in another Zoho product. The actor was seen exploiting an unauthenticated remote code execution issue in Zoho ServiceDesk Plus versions 11305 and earlier, currently tracked as CVE-2021-44077. Timeline of the campaign linked to the same actor Source: Unit42 Zoho fixed the RCE flaw on September 16, 2021, and on November 22, 2021, the company released a security notice to alert customers of active operations. However, users took a long time to update and remained vulnerable to attacks. According to a report from Unit42 of Palo Alto Networks, there is no public proof of concept exploit for CVE-2021-44077, which suggests that the APT group using it developed the code for CVE-2021-44077. exploit itself and uses it exclusively for the time being. EXPLOIT THE RCE TO REMOVE THE ‘GODZILLA’ WEBSHELL The actors exploit the flaw by sending two requests to the REST API, one to download an executable (msiexec.exe) and one to launch the payload. This process is performed remotely and does not require authentication to the vulnerable ServiceDesk server. When ServiceDesk runs the payload, a mutex is created and a hard-coded Java module is written to “../lib/tomcat/tomcat-postgres.jar”, a variant of the “Godzilla” webshell that is loaded into ServiceDesk after you have killed ‘java .exe’ and restart the process. According to the researchers, the actor used the same Webshell secret key seen in the ADSelfService Plus campaign, but this time it installs as an Apache Tomcat Java servlet filter. Actor’s Tomcat filter Source: Unit42 “Having this Godzilla webshell installed as a filter means that there is no specific URL that the actor will send their requests to when interacting with the webshell and the Godzilla webshell filter can also bypass it. a security filter present in ServiceDesk Plus to stop access to webshell files “- reads Unit42’s analysis “It appears the threat actor used publicly available code called tomcat-backdoor to create the filter and then added a modified Godzilla webshell to it,” the researchers note. Palo Alto Networks has seen evidence that may link these attacks to Chinese group APT27 (Emissary Panda), which has previously deployed Godzilla against high profile targets, but there is insufficient clue for clear attribution. Organizations are strongly recommended to patch their Zoho software as soon as possible and review all files created in ServiceDesk Plus directories since early October 2021. Countries where vulnerable software was found Source: Unit42 Currently, network scans reveal more than 600 vulnerable systems in the United States and another 2,100 in India, Russia, Britain, Turkey and others. Many of these vulnerable deployments are found in government systems, universities, healthcare organizations, and other critical entities. * Microsoft September 2021 Patch Tuesday fixes 2 zero-days, 60 flaws * Microsoft October 2021 Patch Tuesday fixes 4 zero-days, 71 flaws * Zoom security issues: Everything that’s gone wrong (so far) * Zoho Patches Actively Exploit Critical ADSelfService Plus Bug * Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws LEAVE A REPLY CANCEL REPLY Comment: Please enter your comment! Name: Please enter your name here Email: You have entered an incorrect email address! Please enter your email address here Save my name, email, and website in this browser for the next time I comment. Notify me of follow-up comments by email. Previous articleNew Google search features make it easier to find the right doctor Next articleHackers brute force guessing payment card numbers, and there’s nothing you can do about it POPULAR See all CHECKING IPHONE, IPAD, AND MACBOOK BATTERY HEALTH IS EASY WITH THESE 7 TOOLS 7 days ago PREDICTIVE POLICING SOFTWARE SHOWS IT REINFORCES STIGMA, NOT CORRECTS IT 5 days ago INTEL’S LATEST ALDER LAKE LEAK IS FANTASTIC NEWS FOR BUDGET PC GAMERS 5 days ago RECENT ARTICLE See all INTEL RELEASES GAMEPLAY TEASER FOR ITS NEXT ARC GPUS 1 min ago See All TRENDING THIS WEEK APPLE GETS LAST MINUTE STAY ON APP STORE EXTERNAL PAYMENTS INJUNCTION 5 days ago SAMSUNG GALAXY WATCH 5 COULD HAVE EXPANDABLE SCREEN AND CAMERA 2 days ago THIS GAMING PC WILL ARRIVE BEFORE CHRISTMAS IF YOU ORDER NOW 6 days ago See More * About * Contact * Terms * Privacy Policy * Do not sell my info TechToSee Facebook Instagram Linkedin Pinterest Tumblr Twitter © 2021 TechToSee. All Rights Reserved. ORIGINALTEXT Bessere Übersetzung vorschlagen --------------------------------------------------------------------------------