Threat actors exploited CVE-2021-44077 to gain initial access to an internet-facing ManageEngine SupportCenter Plus instance, planted a web shell, and began days-long data exfiltration via web shell and RDP. The operation involved Plink-based SSH tunneling, LSASS credential dumping, WDigest credential caching, and targeted file exfiltration across multiple servers.
#CVE-2021-44077 #ManageEngineSupportCenterPlus #fm2.jsp #ekern.exe #Plink #WDigest #LSASS #Site24x7 #RDP #Tor
#CVE-2021-44077 #ManageEngineSupportCenterPlus #fm2.jsp #ekern.exe #Plink #WDigest #LSASS #Site24x7 #RDP #Tor
Keypoints
- The intrusion began with the exploitation of an internet-facing instance of ManageEngine SupportCenter Plus via CVE-2021-44077.
- A web shell fm2.jsp was dropped and used for discovery, command execution, and persistence.
- The attackers enabled WDigest and dumped LSASS to harvest plaintext credentials for lateral movement.
- ekern.exe (a renamed Plink) was downloaded to establish a reverse SSH tunnel and enable RDP-based enumeration.
- Lateral movement occurred to three other servers via RDP, with confidential files exfiltrated over web shell and RDP sessions.
- Exfiltration included certificates, Visio, and Excel files, with canary tokens triggering upon document access.
- Exploitation originated from Tor exit nodes (e.g., 2.58.56.14, 185.220.101.76), and C2/SSH traffic used 23.81.246.84 as an SSH proxy host.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The intrusion began with the exploitation of an internet-facing instance of ManageEngine SupportCenter Plus via CVE-2021-44077. “The intrusion began with the exploitation of an internet-facing instance of ManageEngine SupportCenter Plus via CVE-2021-44077…”
- [T1572] Protocol Tunneling – A batch script was used to facilitate RDP tunneling and Plink, creating an SSH tunnel for remote access. “a batch script is used to facilitate rdp tunneling including the use of Plink.”
- [T1012] Query Registry – The attacker queried the registry to check WDIGest status. “query registry checking to see if WDigest was enabled.”
- [T1003] OS Credential Dumping – The LSASS dump was performed to harvest credentials. “the threat actors performed an LSASS dump on the system… the plaintext credentials…”
- [T1087] Account Discovery – Enumeration included user/OS information and current user sessions. “Enumeration on the system included querying network configuration, a list of domain joined computers, user and OS information, and current user sessions…”
- [T1057] Process Discovery – Discovery activities included listing running processes. “current user sessions on the beachhead” and related process enumerations.
- [T1021.001] Remote Services: Remote Desktop Protocol – Lateral movement to three other servers via RDP. “From the beachhead, lateral movement was conducted to three other servers via RDP…”
- [T1059.001] Command and Scripting Interpreter: PowerShell – Web shell commands were executed via PowerShell. “The GET requests ran PowerShell commands…”
- [T1047] Windows Management Instrumentation – Involvement of WMIC/WMIC-like commands during recon and discovery. “WMIC computersystem get domain” appears in the discovery data.
- [T1070.004] File Deletion – The LSASS dump was deleted to hide traces. “deleted the dump file to hide their traces.”
- [T1078.002] Domain Account – Actions were conducted from the account whose password was extracted from LSASS. “rest of the actions were conducted from the account whose password was extracted from the LSASS dump.”
- [T1112] Modify Registry – WDIGest UseLogonCredential was enabled and later checked. “WDigest UseLogonCredential” and subsequent enablement.
- [T1036] Masquerading – msiexec.exe was uploaded as a dropper to blend in and exploit CVE-2021-44077. “an attacker uploaded a binary named msiexec.exe… not the legitimate Microsoft msiexec.exe, rather it is a dropper…”
- [T1505.003] Server Software Component: Web Shell – A web shell fm2.jsp provided remote control over the beachhead. “web shell dropped to the beachhead during the exploitation process was the only form of persistence observed…”
Indicators of Compromise
- [IP Address] – SSH/Tunnel and C2 activity observed from multiple IPs, including 23.81.246.84 (SSH proxy) and Tor exits 2.58.56.14, 185.220.101.76. 23.81.246.84 is repeatedly cited in the intrusion/execution flow.
- [IP Address] – Additional observed DGA-like/related nodes: 5.239.37.78, 5.114.3.200, 5.113.111.4, 35.196.132.85, 192.221.154.141, 8.0.26.137 (canary token events and exfil events).
- [File name] – fm2.jsp web shell and fm2.jsp-based commands; msiexec.exe dropper; ekern.exe (Plink renamed).
- [File name] – Site24x7WindowsAgent.msi (used to trigger msiexec-based execution); custom login path fm2.jsp written to web root.
- [Domain] – server.example (host used to invoke web shell commands); canary tokens triggered from 192.221.154.141 and 8.0.26.137 when documents opened.
- [Hash] – 0be5d9235059cb4f8b16fe798e822444, 848f7edb825813aee4c09c7f2ec71d27, 9872E0A47E2F44BF6E22E976F061DAC0 (example msiexec/executable artifacts observed in the narrative)
- [Hash] – 916952C5407233EEC5C0176C0E04F88AF9E63978, C7862701AD23B631EF854570C67FC33331F6853DCA65D4C3E825E2C3BB9B16EE (additional artifact hashes shown in the dataset)