A world of pain for Fortinet and Zoho after users failed to install patches End-shutdown

Organizations around the world are once again learning the risks of not installing security updates as multiple threat actors compete to exploit two recently patched vulnerabilities that allow them to infect some of the most critical parts of a protected network.

The vulnerabilities have severity ratings of 9.8 out of a maximum of 10 and reside in two unrelated products that are crucial for securing large networks. The first, tracked as CVE-2022-47966is a pre-authentication remote code execution vulnerability in 24 separate products from software manufacturer Zoho that use the manage engine. what patched in waves from last October to November. The second vulnerability, CVE-2022-39952It affects a product called FortiNAC, made by the cybersecurity company Fortinet and which was patched last week.

Both ManageEngine and FortiNAC advertise themselves as zero-trust products, which means they operate on the assumption that a network has been breached and constantly monitor devices to ensure they are not infected or acting maliciously. Zero-trust products do not trust any device or network node on a network, and instead actively work to verify that they are secure.

24 Zoho products affected

ManageEngine is the engine that powers a wide range of Zoho network management appliances and software that perform basic functions. AD Manager Plus, for example, helps administrators set up and maintain Active Directory, the Windows service for creating and removing all user accounts on a network and delegating system privileges to each. Password Manager Pro provides a centralized digital vault to store all password data for a network. Other ManageEngine-enabled products manage desktops, mobile devices, servers, applications, and service desks.

CVE-2022-47966 allows attackers to remotely execute malicious code by issuing a standard HTTP POST request containing a specially crafted response using Security Assertion Markup Language. (SAML, as it is abbreviated, is an open standard language used by identity providers and service providers to exchange authentication and authorization data.) The vulnerability stems from Zoho’s use of an outdated version of Apache Sanctuary for XML signature validation.

In January, about two months after Zoho fixed the ManageEngine vulnerability, security firm Horizon3.ai published a deep dive analysis which included proof-of-concept exploit code. Within a day, security companies like Bitdefender started seeing a bunch of active attacks from multiple threat actors targeting organizations around the world that had not yet installed the security update.

Some attacks exploited the vulnerability to install tools such as the Netcat command line and, from there, the Anydesk remote login software. When successful, threat actors sell initial access to other threat groups. Other attack groups exploited the vulnerability to install ransomware known as Buhti, post-exploitation tools such as Cobalt Strike and RAT-el, and malware used for espionage.

“This vulnerability is another stark reminder of the importance of keeping systems up to date with the latest security patches while employing a strong perimeter defense,” the Bitdefender researchers wrote. “Attackers don’t need to search for new exploits or novel techniques when they know that many organizations are vulnerable to previous exploits due, in part, to a lack of proper patch and risk management.”

Zoho representatives did not respond to an email seeking comment for this post.

FortiNAC under massive attack

Meanwhile, CVE-2022-39952 resides in FortiNAC, a network access control solution that identifies and monitors all devices connected to a network. Large organizations use FortiNAC to protect operational technology networks in industrial control systems, IT devices, and Internet of Things devices. The vulnerability class, known as external control of file name or pathallows unauthenticated attackers to write arbitrary files to a system and, from there, gain remote execution of code that runs with unrestricted root privileges.

fortinet patched the vulnerability on February 16 and within days, researchers from various organizations reported that it was under active exploitation. The warnings came from organizations or companies, including shadow server, croupand gray noise. Once again, Horizon3.ai provided a dive deep which analyzed the cause of the vulnerability and how it could be weaponized.

“We have started to detect the mass installation of Webshells (backdoors) to later gain access to compromised devices,” the Cronup researchers wrote.

The vulnerability is being exploited by what appears to be multiple threat actors in an attempt to install different web shells, which provide attackers with a text window through which they can remotely issue commands.

in a blog post Posted Thursday, Fortinet CTO Carl Windsor said the company regularly conducts internal security audits to find security bugs in its products.

“Importantly, it was during one of these internal audits that the Fortinet PSIRT team itself identified this remote code execution vulnerability,” Windsor wrote. “We immediately remedied and published this finding as part of our February PSIRT Notice. (If you are not subscribed to our notices, we recommend that you sign up using one of the methods described here.) Fortinet’s PSIRT policy balances our culture of transparency with our commitment to the safety of our customers.”

In recent years, various Fortinet products have been in active exploitation. In 2021, a trio of vulnerabilities in Fortinet’s FortiOS VPN, two patched in 2019 and one a year later, were targeted by attackers attempting to access multiple government, commercial, and technology services. Last December, an unknown threat actor exploited a different critical vulnerability in FortiOS SSL-VPN to infect government and government-related organizations with advanced tailor-made malware. Fortinet quietly fixed the vulnerability in late November, but did not disclose it until after the wild attacks began. The company has yet to explain why or say what its policy is for disclosing vulnerabilities in its products.

Attacks in recent years show that security products designed to keep attackers out of protected networks can be a double-edged sword that can be particularly dangerous when companies fail to disclose them or, more recently, customers fail to install the updates. Anyone who manages or monitors networks using ManageEngine or FortiNAC should immediately check if they are vulnerable. The research posts linked above provide a wealth of indicators that people can use to determine if they have been attacked.

Leave a Reply

Your email address will not be published. Required fields are marked *