Experts Warn of Increasing Cyberattacks Targeting Zoho ManageEngine Products

On February 23, 2023, multiple threat actors have been observed exploiting a critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers.

Martin Zugec of Bitdefender’s cybersecurity firm revealed in a technical advisory that the vulnerability “allows unauthenticated remote code execution due to usage of an outdated third-party dependency for XML signature validation, Apache Santuario.” The exploitation efforts are said to have commenced the day after penetration testing firm Horizon3.ai released a proof-of-concept (PoC) last month.

A majority of the attack victims are located in Australia, Canada, Italy, Mexico, the Netherlands, Nigeria, Ukraine, the U.K., and the U.S. The main objective of the attacks detected to date revolves around deploying tools on vulnerable hosts such as Netcat and Cobalt Strike Beacon. Some intrusions have leveraged the initial access to install AnyDesk software for remote access, while a few others have attempted to install a Windows version of a ransomware strain known as Buhti.

Furthermore, there is evidence of a targeted espionage operation, with the threat actors abusing the ManageEngine flaw to deploy malware capable of executing next-stage payloads. Zugec reminded that “this vulnerability is another clear reminder of the importance of keeping systems up to date with the latest security patches while also employing strong perimeter defense.”