ManageEngine RCE Bug Used For Pwnage By Hackers

Zoho ManageEngine has an extremely serious remote code execution (RCE) bug that apparently been exploited by hackers. Here’s the background that you need to know via Bleeping Computer:

Unauthenticated threat actors can exploit it if the SAML-based single-sign-on (SSO) is or was enabled at least once before the attack to execute arbitrary code.

Last week, Horizon3 security researchers released a technical analysis with proof-of-concept (PoC) exploit code and warned of incoming ‘spray and pray’ attacks.

They found over 8,300 Internet-exposed ServiceDesk Plus and Endpoint Central instances and estimated that roughly ​10% of them are also vulnerable.

One day later, multiple cybersecurity companies warned that unpatched ManageEngine instances exposed online are now targeted with CVE-2022-47966 exploits in ongoing attacks to open reverse shells.

​Post-exploitation activity seen by Rapid7 security researchers shows that attackers are disabling real-time malware protection to backdoor compromised devices by deploying remote access tools.

All Federal Civilian Executive Branch Agencies (FCEB) agencies must patch their systems against this actively exploited bug after it was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, according to a binding operational directive (BOD 22-01) issued in November 2021.

The federal agencies have three weeks, until February 13th, to ensure that their networks are secured against ongoing exploitation attempts.

Although BOD 22-01 only applies to U.S. FCEB agencies, the cybersecurity agency also strongly urged all organizations from private and public sectors to prioritize patching this vulnerability.

“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses a significant risk to the federal enterprise,” CISA said on Monday.

Sylvain Cortes, VP of Solutions, Hackuity had this comment:

     “Most worryingly, vulnerabilities such as these are often dangerously accessible to attackers, many of whom are state-backed groups that exploit ManageEngine flaws to target multiple critical national infrastructure sectors, including finance and healthcare.

Threat actors thrive on Remote Code Execution vulnerabilities when the SAML-based single-sign-on (SSO) was or is enabled prior to the attack, in order to execute arbitrary code.

This raises huge security concerns for all Federal Civilian Executive Branch Agencies (FCEB) in particular, who must patch their systems against this bug after it was added to CISA’s Known Exploited Vulnerabilities (KEV) list.

The access that these vulnerabilities provide to threat actors leave hundreds of thousands of users at risk for cyber attacks, malware, social engineering attacks and more. Any interruption to these systems can also have a widespread impact in terms of revenue, loss of reputational damage. Organizations must focus on patching these exposed vulnerabilities as their main priority.”

The fact that the CISA is involved shows how serious this is. And it shows that you need to take this seriously as well if you use ManageEngine. Which means that you should ensure that all ManageEngine patches are applied so that you’re not the next victim.

Leave a Reply

%d bloggers like this: