Since January 20th, 2023, multiple threat actors have been weaponizing a critical security vulnerability impacting several Zoho ManageEngine products. This vulnerability, tracked as CVE-2022-47966, allows for complete takeover of susceptible systems by unauthenticated attackers. The shortcoming "allows unauthenticated remote code execution due to usage of an outdated third-party dependency for XML signature validation, Apache Santuario," according to Bitdefender's Martin Zugec. 24 different products are affected by the issue, including Access Manager Plus, ADManager Plus, ADSelfService Plus, Password Manager Pro, Remote Access Plus, and Remote Monitoring and Management (RMM).
The exploitation efforts are said to have commenced the day after penetration testing firm Horizon3.ai released a proof-of-concept (PoC) last month. A majority of the attack victims are located in Australia, Canada, Italy, Mexico, the Netherlands, Nigeria, Ukraine, the U.K., and the U.S. The main objective of the attacks detected to date revolves around deploying tools on vulnerable hosts such as Netcat and Cobalt Strike Beacon. Some intrusions have leveraged the initial access to install AnyDesk software for remote access, while a few others have attempted to install a Windows version of a ransomware strain known as Buhti.