Unpatched flaws in Fortinet and Zoho products exploited by attackers
Cybercriminals are exploiting unpatched vulnerabilities in Fortinet and Zoho products, leaving many organizations vulnerable. According to a Check Point Research report, attackers have been exploiting these vulnerabilities for several months, with the number of attacks significantly increasing in recent weeks.
Users of Zoho products that use the company’s ManageEngine who did not install the security updates that addressed CVE-2022-47966 (CVSS score: 9.8), a pre-authentication remote code execution vulnerability, are vulnerable to another attack from multiple threat actors. As a result, threat actors are now using it as an attack vector to deploy malware capable of executing next-stage payloads.
Both vulnerabilities have severity ratings of 9.8 out of 10 and are found in two unrelated products that are critical in securing large networks. The first, CVE-2022-47966, is a pre-authentication remote code execution vulnerability in 24 different Zoho ManageEngine products. It was patched in waves from October to November of last year. The second vulnerability, CVE-2022-39952, affects a Fortinet product called FortiNAC and was patched just last week.
The attackers behind the campaigns target vulnerable systems with a variety of exploits. Once they have gained access to a system, they install backdoors that allow them to continue attacking. By sending a standard HTTP POST request with a specially crafted response using the Security Assertion Markup Language, attackers can remotely execute malicious code. (SAML is an open-standard language used to exchange authentication and authorization data between identity providers and service providers.) Zoho’s use of an out-of-date version of Apache Santuario for XML signature validation causes the flaw.
Horizon3.ai, a penetration testing firm, is said to have started exploitation efforts the day after they released a proof-of-concept (PoC) last month. The primary goal of the detected attacks thus far has been to deploy tools on vulnerable hosts like Netcat and Cobalt Strike Beacon. Some intrusions attempted to install AnyDesk software for remote access, while others attempted to install the Buhti ransomware strain on Windows.
The sources for this piece include an article in ArsTechnica.