Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products

1 year ago AndyC

Feb
23,
2023Ravie
Lakshmanan

Multiple
threat
actors
have
been
observed
opportunistically
weaponizing
a
now-patched
critical
security
vulnerability
impacting
several
Zoho
ManageEngine
products
since
January
20,
2023.

Feb
23,
2023Ravie
Lakshmanan

Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products

Multiple
threat
actors
have
been
observed
opportunistically
weaponizing
a
now-patched
critical
security
vulnerability
impacting
several
Zoho
ManageEngine
products
since
January
20,
2023.

Tracked
as

CVE-2022-47966
(CVSS
score:
9.8),
the

remote
code
execution
flaw
allows
a
complete
takeover
of
the
susceptible
systems
by
unauthenticated
attackers.

As
many
as

24
different
products,
including
Access
Manager
Plus,
ADManager
Plus,
ADSelfService
Plus,
Password
Manager
Pro,
Remote
Access
Plus,
and
Remote
Monitoring
and
Management
(RMM),
are
affected
by
the
issue.

The
shortcoming
“allows
unauthenticated
remote
code
execution
due
to
usage
of
an
outdated
third-party
dependency
for
XML
signature
validation,
Apache
Santuario,”
Bitdefender’s
Martin
Zugec

said
in
a
technical
advisory
shared
with
The
Hacker
News.

According
to
the
Romanian
cybersecurity
firm,
the
exploitation
efforts
are
said
to
have
commenced
the
day
after
penetration
testing
firm
Horizon3.ai
released
a
proof-of-concept
(PoC)
last
month.

A
majority
of
the
attack
victims
are
located
in
Australia,
Canada,
Italy,
Mexico,
the
Netherlands,
Nigeria,
Ukraine,
the
U.K.,
and
the
U.S.

The
main
objective
of
the
attacks
detected
to
date
revolves
around
deploying
tools
on
vulnerable
hosts
such
as
Netcat
and
Cobalt
Strike
Beacon.

Some
intrusions
have
leveraged
the
initial
access
to
install
AnyDesk
software
for
remote
access,
while
a
few
others
have
attempted
to
install
a
Windows
version
of
a
ransomware
strain
known
as

Buhti.

What’s
more,
there
is
evidence
of
a

targeted
espionage
operation,
with
the
threat
actors
abusing
the
ManageEngine
flaw
to
deploy
malware
capable
of
executing
next-stage
payloads.

“This
vulnerability
is
another
clear
reminder
of
the
importance
of
keeping
systems
up
to
date
with
the
latest
security
patches
while
also
employing
strong
perimeter
defense,”
Zugec
said.

“Attackers
don’t
need
to
scour
for
new
exploits
or
novel
techniques
when
they
know
that
many
organizations
are
vulnerable
to
older
exploits
due,
in
part,
to
the
lack
of
proper
patch
management
and
risk
management.”

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts