Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

Researchers: Brace for Zoho ManageEngine ‘Spray and Pray’ Attacks

Researchers tracking a remote code execution vulnerability in Zoho’s ManageEngine products are warning organizations to brace for “spray and pray” attacks across the internet.

Security researchers tracking a known pre-authentication remote code execution vulnerability in Zoho’s ManageEngine products are warning organizations to brace for “spray and pray” attacks across the internet.

The vulnerability, patched by Zoho last November, affects multiple Zoho ManageEngine products and can be reached over the internet to launch code execution exploits if SAML single-sign-on is enabled or has ever been enabled.

According to researchers at automated penetration testing firm Horizon3.ai, the CVE-2022-47966 flaw is easy to exploit and a good candidate for so-called “spray and pray” attacks. In this case, the bug gives attackers complete control over the system or an immediate beachhead to launch additional compromises.

“Once an attacker has SYSTEM level access to the endpoint, attackers are likely to begin dumping credentials via LSASS or leverage existing public tooling to access stored application credentials to conduct lateral movement,” the company said in a note documenting its work creating IOCs to help businesses hunt for signs of infection.

Horizon3.ai red-teamer James Horseman is calling attention to exposed attack surfaces that put thousands of organizations at risk. “Shodan data shows that there are likely more than a thousand instances of ManageEngine products exposed to the internet with SAML currently enabled,” Horseman said, estimating that roughly 10% of all Zoho Management products may be sitting ducks for these attacks.

“Organizations that use SAML in the first place tend to be larger and more mature and are likely to be higher value targets for attackers,” Horseman warned.

Although Zoho issued patches late last year, Horseman notes that some organizations are still be tardy on deploying the fixes. “Given how slow enterprise patch cycles can be, we expect that there are many who have not yet patched.”

“We want to highlight that in some cases the vulnerability is exploitable even if SAML is not currently enabled, but was enabled sometime in the past. The safest course of action is to patch regardless of the SAML configuration of the product,” Horseman added.

Advertisement. Scroll to continue reading.

Zoho boasts that about 280,000 organizations across 190 countries use its ManageEngine product suite to manage IT operations.  

The Indian multinational firm, which sells a wide range of productivity and collaboration apps to businesses, has struggled with zero-day attacks and major security problems that have been targeted by nation-state APT actors.

The US government’s cybersecurity agency CISA has added Zoho vulnerabilities to its federal ‘must-patch’ list because of known exploitation activity.

Related: U.S. Agencies Warn of APTs Exploiting Zoho Zero-Day 

Related: Zoho Working on Patch for Zero-Day ManageEngine Vulnerability

Related: CISA Adds Zoho Flaws to Federal ‘Must-Patch’ List 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.