Chennai, NFAPost: A critical remote code execution (RCE) vulnerability affecting multiple Zoho ManageEngine products is now being exploited in attacks. The pre-authentication remote code execution vulnerability is impacting at least 24 on-premise ManageEngine products.
The first exploitation attempts were observed by cybersecurity firm Rapid7. The firm said, “Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products.”
While investigating the attacks, Rapid7 also observed post-exploitation activity. The attackers are using PowerShell scripts to disable Microsoft Defender real-time protection and adding the C:\Users\Public folder to Defender’s exclusion lists. The threat actors also deploy additional payloads, including remote access tools camouflaged as the Windows Service Host service.
In one exploitation attempt, the attackers used curl to download a file from a remote server (106.246.224[.]219/hlmllmo) and execute it. Unfortunately, this file no longer exists on the server, so there’s no information on its malicious behavior.
But, the IP address has a history of distributing Linux backdoors on compromised devices using VMware vulnerabilities and the Log4Shell flaw.