Researchers: Brace for Zoho ManageEngine 'Spray and Pray' Attacks

guest · Jan 16, 2023

By Ryan Naraine @ryanaraine - January 16, 2023

Security researchers tracking a known pre-authentication remote code execution vulnerability in Zoho’s ManageEngine products are warning organizations to brace for “spray and pray” attacks across the internet.
Click to expand...

The vulnerability, patched by Zoho last November, affects multiple Zoho ManageEngine products and can be reached over the internet to launch code execution exploits if SAML single-sign-on is enabled or has ever been enabled.

According to researchers at automated penetration testing firm Horizon3.ai, the CVE-2022-47966 flaw is easy to exploit and a good candidate for so-called “spray and pray” attacks. In this case, the bug gives attackers complete control over the system or an immediate beachhead to launch additional compromises.

“Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement,” the company said in a note documenting its work creating IOCs to help businesses hunt for signs of infection.
Click to expand...

Although Zoho issued patches late last year, Horseman notes that some organizations are still be tardy on deploying the fixes. “Given how slow enterprise patch cycles can be, we expect that there are many who have not yet patched.”

“We want to highlight that in some cases the vulnerability is exploitable even if SAML is not currently enabled, but was enabled sometime in the past. The safest course of action is to patch regardless of the SAML configuration of the product,” Horseman added.
Click to expand...

guest · Jan 20, 2023

In-the-Wild Exploitation of Recent ManageEngine Vulnerability Commences
By Ionut Arghire - January 20, 2023

Cloud risk management and threat detection firm Rapid7 warns that it has seen organizations being compromised in attacks exploiting a recently patched Zoho ManageEngine vulnerability.
Click to expand...

Tracked as CVE-2022-47966, the security defect exists in a third-party dependency (Apache xmlsec, also known as XML Security for Java, version 1.4.1), allowing attackers to execute arbitrary code remotely without authentication.

A NIST advisory explains that the bug exists “because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.”
Click to expand...

Horizon3.ai also published a proof-of-concept (PoC) exploit targeting the issue.
Now, Rapid7 says it has been responding to compromises resulting from the active exploitation of CVE-2022-47966. The attacks appear to have started before Horizon3.ai released its PoC exploit.

The cybersecurity firm underlines that some of the impacted products, including ADSelfService Plus and ServiceDesk Plus, are highly popular among organizations, and that they are known to have been targeted in previous attacks.

“Organizations using any of the affected products listed in ManageEngine’s advisory should update immediately and review unpatched systems for signs of compromise, as exploit code is publicly available and exploitation has already begun,” Rapid7 warns.
Click to expand...

Rapid7: CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability

By Glenn Thorpe - January 19, 2023
Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products. CVE-2022-47966 stems from a vulnerable third-party dependency on Apache Santuario.
Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus.
Click to expand...

guest · Jan 23, 2023

CISA warns of critical ManageEngine RCE bug exploited in attacks
By Sergiu Gatlan @serghei - January 23, 2023

The Cybersecurity and Infrastructure Security Agency (CISA) has added a remote code execution (RCE) affecting most Zoho ManageEngine products to its catalog of bugs known to be exploited in the wild.

This security flaw is tracked as CVE-2022-47966 and was patched in several waves starting on October 27th, 2022.
Unauthenticated threat actors can exploit it if the SAML-based single-sign-on (SSO) is or was enabled at least once before the attack to execute arbitrary code.
Click to expand...

Last week, Horizon3 security researchers released a technical analysis with proof-of-concept (PoC) exploit code and warned of incoming 'spray and pray' attacks.
One day later, multiple cybersecurity companies warned that unpatched ManageEngine instances exposed online are now targeted with CVE-2022-47966 exploits in ongoing attacks to open reverse shells.
Click to expand...

All orgs urged to prioritize patching
The federal agencies have three weeks, until February 13th, to ensure that their networks are secured against ongoing exploitation attempts.

Although BOD 22-01 only applies to U.S. FCEB agencies, the cybersecurity agency also strongly urged all organizations from private and public sectors to prioritize patching this vulnerability.

"This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise," CISA said on Monday.
Click to expand...

Log in or Sign up

Researchers: Brace for Zoho ManageEngine 'Spray and Pray' Attacks

guest Guest

guest Guest

guest Guest

Log in or Sign up

Researchers: Brace for Zoho ManageEngine 'Spray and Pray' Attacks

guest Guest

guest Guest

guest Guest

Useful Searches