TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
Summary: Cybersecurity researchers observed exploitation of a vulnerability affecting two dozen ManageEngine products from software company Zoho. The bug – CVE-2022-47966 – was patched in waves starting on October 27, 2022 with the last product receiving a patch on November 7, 2022 (the full list a patches can be found here). The ManageEngine IT service management solutions suite is used by hundreds of organizations – including nine of every 10 Fortune 100 organizations – for IT infrastructure, networks, servers, applications, endpoints and more. The exploit only works if Security Assertion Markup Language (SAML) single-sign-on has been previously enabled.
A spray and pray attack uses automation to roll through a set of IP addresses seeking vulnerabilities.
NYSIC CAU Analyst Note: There have been several Zoho ManageEngine vulnerabilities exploited over the last two years. A team from the cybersecurity company Horizon3.ai published a proof of concept and Indicators of Compromise detailing the exploit as “low in complexity and easy to exploit.” A representative from Horizon3.ai stated data from Shodan shows that there are likely more than 1,000 instances of ManageEngine products exposed to the internet with SAML currently enabled.
Sources:
https://www.bleepingcomputer[.]com/news/security/exploit-released-for-critical-manageengine-rce-bug-patch-now/
https://www.securityweek[.]com/researchers-brace-zoho-manageengine-spray-and-pray-attacks
https://securityboulevard[.]com/2023/01/researchers-warn-against-zoho-manageengine-spray-and-pray-attacks/
This information has been disseminated to:
NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – Cyber Partners Working Group (CPWG)
NYSIC CAU Contacts – Critical Infrastructure: All
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – Private Sector
For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.
TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.
https://www.first.org/tlp/
CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.