{
	"id": "c48d129e-48be-4599-b27d-d948fb5c9400",
	"created_at": "2026-04-06T00:13:29.065795Z",
	"updated_at": "2026-04-10T13:11:33.56135Z",
	"deleted_at": null,
	"sha1_hash": "02705055764a09808372a37ef9701841f81321c6",
	"title": "APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 118988,
	"plain_text": "APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine\r\nServiceDesk Plus | CISA\r\nPublished: 2021-12-06 · Archived: 2026-04-02 12:07:49 UTC\r\nSummary\r\nThis joint Cybersecurity Advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge\r\n(ATT\u0026CK®) framework, Version 9. See the ATT\u0026CK for Enterprise framework for referenced threat actor\r\ntechniques and for mitigations.\r\nThis joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI) and the\r\nCybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active\r\nexploitation of a newly identified vulnerability (CVE-2021-44077) in Zoho ManageEngine ServiceDesk Plus—IT\r\nhelp desk software with asset management.\r\nCVE-2021-44077, which Zoho rated critical, is an unauthenticated remote code execution (RCE) vulnerability\r\naffecting all ServiceDesk Plus versions up to, and including, version 11305. This vulnerability was addressed by\r\nthe update released by Zoho on September 16, 2021 for ServiceDesk Plus versions 11306 and above. The FBI and\r\nCISA assess that advanced persistent threat (APT) cyber actors are among those exploiting the vulnerability.\r\nSuccessful exploitation of the vulnerability allows an attacker to upload executable files and place webshells,\r\nwhich enable the adversary to conduct post-exploitation activities, such as compromising administrator\r\ncredentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. \r\nThe Zoho update that patched this vulnerability was released on September 16, 2021, along with a security\r\nadvisory . Additionally, an email advisory was sent to all ServiceDesk Plus customers with additional\r\ninformation. Zoho released a subsequent security advisory on November 22, 2021 , and advised customers to\r\npatch immediately.\r\nThe FBI and CISA are aware of reports of malicious cyber actors likely using exploits against CVE-2021-44077\r\nto gain access [T1190 ] to ManageEngine ServiceDesk Plus, as early as late October 2021. The actors have been\r\nobserved using various tactics, techniques and procedures (TTPs), including:\r\nWriting webshells [T1505.003 ] to disk for initial persistence\r\nObfuscating and Deobfuscating/Decoding Files or Information [T1027 and T1140 ]\r\nConducting further operations to dump user credentials [T1003 ]\r\nLiving off the land by only using signed Windows binaries for follow-on actions [T1218 ]\r\nAdding/deleting user accounts as needed [T1136 ]\r\nStealing copies of the Active Directory database ( NTDS.dit ) [T1003.003 ] or registry hives\r\nUsing Windows Management Instrumentation (WMI) for remote execution [T1047 ]\r\nDeleting files to remove indicators from the host [T1070.004 ]\r\nDiscovering domain accounts with the net Windows command [T1087.002 ]\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-336a\r\nPage 1 of 8\n\nUsing Windows utilities to collect and archive files for exfiltration [T1560.001 ]\r\nUsing custom symmetric encryption for command and control (C2) [T1573.001 ]\r\nThe FBI and CISA are proactively investigating this malicious cyber activity:\r\nThe FBI leverages specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI’s\r\n24/7 operations center and watch floor, which provides around-the-clock support to track incidents and\r\ncommunicate with field offices across the country and partner agencies.\r\nCISA offers a range of no-cost cyber hygiene services to help organizations assess, identify, and reduce\r\ntheir exposure to threats. By requesting these services, organizations of any size could find ways to reduce\r\ntheir risk and mitigate attack vectors. \r\nSharing technical and/or qualitative information with the FBI and CISA helps empower and amplify our\r\ncapabilities as federal partners to collect and share intelligence and engage with victims, while working to unmask\r\nand hold accountable those conducting malicious cyber activities.\r\nClick here for a PDF version of this report.\r\nClick here for indicators of compromise (IOCs) in STIX format.\r\nTechnical Details\r\nCompromise of the affected systems involves exploitation of CVE-2021-44077 in ServiceDesk Plus, allowing the\r\nattacker to:\r\n1. Achieve an unrestricted file upload through a POST request to the ServiceDesk REST API URL and\r\nupload an executable file, C:\\ManageEngine\\Servicedesk\\bin\\msiexec.exe , with a SHA256 hash of\r\necd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7 . This executable file serves as a\r\ndropper and contains an embedded, encoded Godzilla JAR file.\r\n2. Gain execution for the dropper through a second POST request to a different REST API URL, which will\r\nthen decode the embedded Godzilla JAR file and drop it to the filepath\r\nC:\\ManageEngine\\ServiceDesk\\lib\\tomcat\\tomcat-postgres.jar with a SHA256 hash of\r\n67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015 .\r\nConfirming a successful compromise of ManageEngine ServiceDesk Plus may be difficult—the attackers are\r\nknown to run clean-up scripts designed to remove traces of the initial point of compromise and hide any\r\nrelationship between exploitation of the vulnerability and the webshell.\r\nTargeted Industries \r\nAPT cyber actors have targeted Critical Infrastructure Sector industries, including the healthcare, financial\r\nservices, electronics and IT consulting industries.\r\nIndicators of Compromise \r\nHashes\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-336a\r\nPage 2 of 8\n\nWebshell:\r\n67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015\r\n068D1B3813489E41116867729504C40019FF2B1FE32AAB4716D429780E666324\r\n759bd8bd7a71a903a26ac8d5914e5b0093b96de61bf5085592be6cc96880e088\r\n262cf67af22d37b5af2dc71d07a00ef02dc74f71380c72875ae1b29a3a5aa23d\r\na44a5e8e65266611d5845d88b43c9e4a9d84fe074fd18f48b50fb837fa6e429d\r\nce310ab611895db1767877bd1f635ee3c4350d6e17ea28f8d100313f62b87382\r\n75574959bbdad4b4ac7b16906cd8f1fd855d2a7df8e63905ab18540e2d6f1600\r\n5475aec3b9837b514367c89d8362a9d524bfa02e75b85b401025588839a40bcb\r\nDropper:\r\necd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7\r\nImplant:\r\n009d23d85c1933715c3edcccb46438690a66eebbcccb690a7b27c9483ad9d0ac\r\n083bdabbb87f01477f9cf61e78d19123b8099d04c93ef7ad4beb19f4a228589a\r\n342e85a97212bb833803e06621170c67f6620f08cc220cf2d8d44dff7f4b1fa3\r\nNGLite Backdoor:\r\n805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f\r\n3da8d1bfb8192f43cf5d9247035aa4445381d2d26bed981662e3db34824c71fd\r\n5b8c307c424e777972c0fa1322844d4d04e9eb200fe9532644888c4b6386d755\r\n3f868ac52916ebb6f6186ac20b20903f63bc8e9c460e2418f2b032a207d8f21d\r\n342a6d21984559accbc54077db2abf61fd9c3939a4b09705f736231cbc7836ae\r\n7e4038e18b5104683d2a33650d8c02a6a89badf30ca9174576bf0aff08c03e72\r\nKDC Sponge:\r\n3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090\r\nb4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665\r\ne391c2d3e8e4860e061f69b894cf2b1ba578a3e91de610410e7e9fa87c07304c\r\nMalicious IIS Module:\r\nbec067a0601a978229d291c82c35a41cd48c6fca1a3c650056521b01d15a72da\r\nRenamed WinRAR:\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-336a\r\nPage 3 of 8\n\nd0c3d7003b7f5b4a3bd74a41709cfecfabea1f94b47e1162142de76aa7a063c7\r\nRenamed csvde:\r\n7d2780cd9acc516b6817e9a51b8e2889f2dec455295ac6e6d65a6191abadebff\r\nNetwork Indicators\r\nPOST requests sent to the following URLs:\r\n/RestAPI/ImportTechnicians?step=1\r\nDomains:\r\nseed.nkn[.]org\r\nNote: the domain seed.nkn[.]org is a New Kind of Network (NKN) domain that provides legitimate peer to peer\r\nnetworking services utilizing blockchain technology for decentralization. It is possible to have false positive hits\r\nin a corporate network environment and it should be considered suspicious to see any software-initiated contacts\r\nto this domain or any subdomain.\r\nLog File Analysis\r\nCheck serverOut*.txt log files under C:\\ManageEngine\\ServiceDesk\\logs\\ for suspicious log entries\r\nmatching the following format:\r\n[\u003ctime\u003e]|[\u003cdate\u003e]|[com.adventnet.servicedesk.setup.action.ImportTechniciansAction]|\r\n[INFO]|[62]: fileName is : msiexec.exe]\r\nFilepaths\r\nC:\\ManageEngine\\ServiceDesk\\bin\\msiexec.exe\r\nC:\\ManageEngine\\ServiceDesk\\lib\\tomcat\\tomcat-postgres.jar\r\nC:\\Windows\\Temp\\ScriptModule.dll\r\nC:\\ManageEngine\\ServiceDesk\\bin\\ScriptModule.dll\r\nC:\\Windows\\system32\\ME_ADAudit.exe\r\nc:\\Users\\[username]\\AppData\\Roaming\\ADManager\\ME_ADManager.exe\r\n%ALLUSERPROFILE%\\Microsoft\\Windows\\Caches\\system.dat\r\nC:\\ProgramData\\Microsoft\\Crypto\\RSA\\key.dat\r\nc:\\windows\\temp\\ccc.exe\r\nTactics, Techniques, and Procedures\r\nUsing WMI for lateral movement and remote code execution (in particular, wmic.exe )\r\nUsing plaintext credentials for lateral movement\r\nUsing pg_dump.exe to dump ManageEngine databases\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-336a\r\nPage 4 of 8\n\nDumping NTDS.dit and SECURITY/SYSTEM/NTUSER registry hives\r\nActive credential harvesting through LSASS (KDC Sponge)\r\nExfiltrating through webshells\r\nConducting exploitation activity often through other compromised U.S. infrastructure\r\nDropping multiple webshells and/or implants to maintain persistence\r\nUsing renamed versions of WinRAR , csvde , and other legitimate third-party tools for reconnaissance and\r\nexfiltration\r\nYara Rules\r\nrule ReportGenerate_jsp {\r\n   strings:\r\n      $s1 = \"decrypt(fpath)\"\r\n      $s2 = \"decrypt(fcontext)\"\r\n      $s3 = \"decrypt(commandEnc)\"\r\n      $s4 = \"upload failed!\"\r\n      $s5 = \"sevck\"\r\n      $s6 = \"newid\"\r\n   condition:\r\n      filesize \u003c 15KB and 4 of them\r\n}\r\nrule EncryptJSP {\r\n   strings:\r\n      $s1 = \"AEScrypt\"\r\n      $s2 = \"AES/CBC/PKCS5Padding\"\r\n      $s3 = \"SecretKeySpec\"\r\n      $s4 = \"FileOutputStream\"\r\n      $s5 = \"getParameter\"\r\n      $s6 = \"new ProcessBuilder\"\r\n      $s7 = \"new BufferedReader\"\r\n      $s8 = \"readLine()\"\r\n   condition:\r\n      filesize \u003c 15KB and 6 of them\r\n}\r\nrule ZimbraImplant {\r\n    strings:\r\n        $u1 = \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/87.0.4280.88 Safari/537.36\"\r\n        $u2 = \"Content-Type: application/soap+xml; charset=UTF-8\"\r\n        $u3 = \"/service/soap\"\r\n        $u4 = \"Good Luck :::)\"\r\n        $s1 = \"zimBR\"\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-336a\r\nPage 5 of 8\n\n$s2 = \"log10\"\r\n        $s3 = \"mymain\"\r\n        $s4 = \"urn:zimbraAccount\"\r\n        $s5 = \"/service/upload?fmt=extended,raw\"\r\n        $s6 = \"\u003cquery\u003e(in:\\\"inbox\\\" or in:\\\"junk\\\") is:unread\u003c/query\u003e\"\r\n    condition:\r\n        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize \u003c 2MB and 1 of ($u*) and 3\r\nof ($s*)\r\n}\r\nrule GodzillaDropper {\r\n    strings:\r\n        $s1 = \"UEsDBAoAAAAAAI8UXFM\" // base64 encoded PK/ZIP header\r\n        $s2 = \"../lib/tomcat/tomcat-postgres.jar\"\r\n        $s3 = \"RunAsManager.exe\"\r\n        $s4 = \"ServiceDesk\"\r\n        $s5 = \"C:\\\\Users\\\\pwn\\\\documents\\\\visual studio 2015\\\\Projects\\\\payloaddll\"\r\n        $s6 = \"CreateMutexA\"\r\n        $s7 = \"cplusplus_me\"\r\n    condition:\r\n        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize \u003c 350KB and 4 of them\r\n}\r\nrule GodzillaJAR {\r\n    strings:\r\n        $s1 = \"org/apache/tomcat/SSLFilter.class\"\r\n        $s2 = \"META-INF/services/javax.servlet.ServletContainerInitializer\"\r\n        $s3 = \"org/apache/tomcat/MainFilterInitializer.class\"\r\n    condition:\r\n        uint32(0) == 0x04034B50 and filesize \u003c 50KB and all of them\r\n}\r\nrule APT_NGLite {\r\n    strings:\r\n        $s1 = \"/mnt/hgfs/CrossC2-2.2\"\r\n        $s2 = \"WHATswrongwithU\"\r\n        $s3 = \"//seed.nkn.org:\"\r\n        $s4 = \"Preylistener\"\r\n        $s5 = \"preyid\"\r\n        $s6 = \"Www-Authenticate\"\r\n    condition:\r\n        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize \u003c 15MB and 4 of them\r\n}\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-336a\r\nPage 6 of 8\n\nrule KDCSponge {\r\n    strings:\r\n        $k1 = \"kdcsvc.dll\"\r\n        $k2 = \"kdccli.dll\"\r\n        $k3 = \"kdcsvs.dll\"\r\n        $f1 = \"KerbHashPasswordEx3\"\r\n        $f2 = \"KerbFreeKey\"\r\n        $f3 = \"KdcVerifyEncryptedTimeStamp\"\r\n        $s1 = \"download//symbols//%S//%S//%S\" wide\r\n        $s2 = \"KDC Service\"\r\n        $s3 = \"\\\\system.dat\"\r\n    condition:\r\n        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and filesize \u003c 1MB and 1 of ($k*) and 1\r\nof ($f*) and 1 of ($s*)\r\nMitigations\r\nCompromise Mitigations\r\nOrganizations that identify any activity related to ManageEngine ServiceDesk Plus indicators of compromise\r\nwithin their networks should take action immediately. \r\nZoho ManageEngine ServiceDesk Plus build 11306, or higher, fixes CVE-2021-44077. ManageEngine initially\r\nreleased a patch for this vulnerability on September 16, 2021. A subsequent security advisory was released on\r\nNovember 22, 2021, and advised customers to patch immediately. Additional information can be found in the\r\nZoho security advisory released on November 22, 2021 .\r\nIn addition, Zoho has set up a security response plan center that provides additional details, a downloadable tool\r\nthat can be run on potentially affected systems, and a remediation guide.\r\nFBI and CISA also strongly recommend domain-wide password resets and double Kerberos TGT password resets\r\nif any indication is found that the NTDS.dit file was compromised. \r\nNote: Implementing these password resets should not be taken as a comprehensive mitigation in response to this\r\nthreat; additional steps may be necessary to regain administrative control of your network. Refer to your specific\r\nproducts mitigation guidance for details. \r\nActions for Affected Organizations\r\nImmediately report as an incident to CISA or the FBI (refer to Contact information section below) the existence\r\nof any of the following:\r\nIdentification of indicators of compromise as outlined above.\r\nPresence of webshell code on compromised ServiceDesk Plus servers.\r\nUnauthorized access to or use of accounts.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-336a\r\nPage 7 of 8\n\nEvidence of lateral movement by malicious actors with access to compromised systems.\r\nOther indicators of unauthorized access or compromise.\r\nContact Information\r\nRecipients of this report are encouraged to contribute any additional information that they may have related to this\r\nthreat. \r\nFor any questions related to this report or to report an intrusion and request resources for incident response or\r\ntechnical assistance, please contact:\r\nThe FBI through the FBI Cyber Division (855-292-3937 or CyWatch@fbi.gov ) or a local field office\r\nCISA (1-844-Say-CISA or Central@cisa.dhs.gov ).\r\nRevisions\r\nDecember 2, 2021: Initial version|December 6, 2021: STIX file added\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa21-336a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-336a\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa21-336a"
	],
	"report_names": [
		"aa21-336a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434409,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/02705055764a09808372a37ef9701841f81321c6.pdf",
		"text": "https://archive.orkl.eu/02705055764a09808372a37ef9701841f81321c6.txt",
		"img": "https://archive.orkl.eu/02705055764a09808372a37ef9701841f81321c6.jpg"
	}
}