A security researcher published yesterday details on Twitter about a zero-day vulnerability in a Zoho enterprise product.
Cyber-security experts who have reviewed the vulnerability have told ZDNet that the zero-day could spell trouble for companies around the world, as it could be an entry point for ransomware gangs to infect corporate networks and ransom their data.
The vulnerability impacts the Zoho ManageEngine Desktop Central. According to the Zoho website, this is an endpoint management solution. Companies use the product to control their fleets of devices — such as Android smartphones, Linux servers, or Mac and Windows workstations.
The product works as a central server inside a company, allowing system administrators to push updates, take control over systems remotely, lock devices, apply access restrictions, and more.
Yesterday, a security researcher named Steven Seeley, published details, along with proof-of-concept demo code, about an unpatched bug in this product.
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central,” Seeley said.
The (attacker’s) code is executed without the need for authentication, and the code runs with root privileges on the machine, Seeley added.
This effectively means that hackers can take full control over ManageEngine systems, and a company’s fleet of devices.
Ideal for ransomware attacks
Products like Zoho’s ManageEngine are often employed by companies that provide remote IT support — called managed service providers (MSPs).
Over the past year, multiple ransomware gangs have figured out that they could target MSPs and the software they use to plant ransomware on the networks of their clients.
The bug disclosed today on Twitter puts all the companies that rely on Zoho ManageEngine, along with all the MSPs that rely on it and their clients, at risk.
“This sounds like the worst-case scenario for MSPs using this product,” Daniel Goldberg, a malware analyst at Guardicore told ZDNet. “They get breached, all their customers get breached and it’s a race who will attack first.”
“Ransomware groups at this point have it down to a science,” Goldberg added. “Find a simple reliable exploit like this, attack opportunistic victims, find those with money to pay, and profit.”
More than 2,300 exposed servers
Currently, there are more than 2,300 installations of Zoho ManageEngine systems exposed on the internet, according to Nate Warfield, an analyst for the Microsoft Security Response Center.
All of these 2,300 exposed instances are akin to gateways into those companies, due to the recently-shared zero-day.
In an interview with ZDNet, Leandro Velasco, a threat intel analyst for KPN Security, also pointed out that this vulnerability is also ideal for lateral movement.
Even if a company does not expose the Zoho ManageEngine Desktop Central over the internet, it can be used inside their networks.
An attacker gaining access to one computer inside a company’s network can use the Zoho zero-day to gain access over the ManageEngine server and then push malware to all the other computers on the company’s network.
Velasco has seen these types of attacks before while monitoring REvil (Sodinokibi) ransomware infections — one of the first ransomware strains to target MSPs and their software in so-called “supply chain attacks” on bigger targets.
This tactic — of attacking MSPs and their software — has now become mainstream among other ransomware gangs.
“In the last few months, we saw campaigns focusing on specialized software used by MSPs, like remote access management tooling,” said Sander Peters, head of KPN Security, in a report about the software supply chain risks in Europe.
In a similar report, US cyber-security firm Armor claims it tracked 13 MSPs in 2019 that have been hacked or had their software abused to install ransomware on the networks of their clients.
The Zoho zero-day will, without a doubt, trigger a wave of hacks. The Shodan search listed above unearths some “juicy” targets for hackers.
Currently, a patch is not available because Seeley never notified Zoho. On Twitter, the researcher claimed that “Zoho typically ignores researchers,” and shared the code online.
Some security researchers have criticized Seeley’s move to disclose the zero-day without notifying Zoho, calling it unprofessional. However, other security researchers said they’ve also been ignored when reporting issues to Zoho.
A Zoho spokesperson told ZDNet that Seeley never contacted its security team, and that they learned of the issue from a customer. A patch is expected for later today, at 10:30am PT.
Updated to add that the vulnerability, now tracked as CVE-2020-10189, has been patched in Zoho ManageEngine Desktop Central v10.0.479.