Threat Actors Exploiting ManageEngine RCE

Category: Vulnerability | Industry: Global | Level: Tactical | Source: Bitdefender

Bitdefender examined the exploitation of a pre-authentication remote code execution vulnerability for ManageEngine ServiceDesk software, CVE-2022-47966. A proof-of-concept (PoC) for the CVE was released on January 19th, 2023, providing validation and a blueprint to exploit the vulnerability, which could potentially affect 2,000 to 4,000 internet-facing servers. An incident initiated by the abuse of CVE-2022-47966 was observed by Bitdefender, describing the attack as having "signs of a targeted operation. As this vulnerability lets an attacker execute remote code on unpatched servers, it can be used to install tools and malware associated with espionage." The attackers' aim appeared to be to side-load their malicious payload, as evidenced by the identified artifacts and file names of the downloaded files. Their payloads were download tools using native Windows utilities like powershell.exe, bitsadmin.exe, and certutil.exe. After the foothold was established, the attackers proceeded to set persistence with modifications in the registry, create Windows services, abuse a Servlet Filter for the Tomcat web server, and load a malicious loader tracked as DeepRegSearcher. System administrators are urged to patch and remediate servers vulnerable to CVE-2022-47966 as the analysis provided by Bitdefender is only one possible exploit path.

Anvilogic Scenario:

• Native Tools Downloads Payload/Tampers with System Config

Anvilogic Use Cases:

• Invoke-WebRequest Command
• Certutil File Download
• BITSadmin Execution

‍