A critical remote code execution (RCE) vulnerability affecting multiple Zoho ManageEngine products is now being exploited in attacks.
The first exploitation attempts were observed by cybersecurity firm Rapid7 on Tuesday, two days before Horizon3 security researchers released public exploit code and in-depth technical analysis of the flaw.
“Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products,” the threat detection firm said.
“Rapid7 observed exploitation across organizations as early as January 17, 2023 (UTC).”
This was confirmed by researchers at the Shadowserver Foundation, who said they are “picking up exploitation attempts from at least 10 IPs for CVE-2022-47966 unauthenticated RCE affecting multiple Zoho ManageEngine products (that have SAML SSO enabled).”
Their findings were also confirmed by threat intelligence firm GreyNoise which began tracking CVE-2022-47966 exploitation attempts last week, on January 12.
GreyNoise has detected 11 IP addresses targeting Internet-exposed ManageEngine instances vulnerable to CVE-2022-47966 attacks.
At least one of these IPs (i.e., 221.226.159.22), assigned to a Linux server on China Telecom Backbone, has previously attempted to compromise servers unpatched against the Log4shell vulnerability.
Post-exploitation activity on compromised devices
While investigating attacks that led to the compromise of some of its customers’ ManageEngine instances, Rapid7 also observed post-exploitation activity.
The company says the attackers are using PowerShell scripts to disable Microsoft Defender real-time protection and adding the C:UsersPublic folder to Defender’s exclusion lists.
The threat actors also deploy additional payloads, including remote access tools camouflaged as the Windows Service Host service.
One of these tools, a Golang protocol tunneling tool named Chisel that’s similar to the Plink (PuTTY Link) command-line connection tool, is being used to create a reverse ssh tunnel (likely to open a remote shell to bypass firewalls).
In one exploitation attempt seen by ShadowServer and shared with BleepingComputer, the attackers used curl to download a file from a remote server (106.246.224[.]219/hlmllmo) and execute it.
Unfortunately, this file no longer exists on the server, so there’s no info on its malicious behavior.
However, the IP address has a history of distributing Linux backdoors on compromised devices using VMware vulnerabilities and the Log4Shell flaw.
”Organizations using any of the affected products listed in ManageEngine’s advisory should update immediately and review unpatched systems for signs of compromise, as exploit code is publicly available and exploitation has already begun,” Rapid7 warned.
Horizon found over 8,300 Internet-exposed ServiceDesk Plus and Endpoint Central instances and warned of “spray and pray” attacks after estimating that roughly 10% of exposed instances are also vulnerable to attacks.
CISA and the FBI have previously issued joint advisories (1, 2) to warn of state-backed threat actors exploiting ManageEngine flaws to drop web shells on the networks of organizations from multiple critical infrastructure sectors, including healthcare and financial services.