Nation-state threat actors have exploited CVE-2022-47966 and CVE-2022-42475, leaving many businesses vulnerable to cyberattacks.
At least two (2) access vectors were identified by CISA during an incident response engagement highlighting the criticality to address and mitigate both vulnerabilities. CVE-2022-47966 allows for remote code execution on the public-facing ManageEngine application.
Mitigate CVE-2022-47966 with the custom-built Automox Worklets below. Then, read on for security best practices.
Advanced Persistent Threat (APT) actor activities
CVE-2022-47966 has been exploited to access the organization's web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. This vulnerability allows for remote code execution on the ManageEngine application.
Additional APT actors were also observed exploiting CVE-2022-42475, a heap buffer overflow vulnerability, to establish a presence on the affected organization's firewall device per which CISA conducted an incident response engagement.
Once the hackers have gained access to these systems, they can move laterally within the target environment to easily steal sensitive data, compromise the organization's security, and cause disruption.
It has been observed that the APT actor activities include using specific IP addresses and file paths. This information is essential in detecting and responding to such attacks. By analyzing your network logs, you can check if any of the IP addresses or file paths related to the APT actors have been active on your system.
Mitigate CVE-2022-47966 on Windows and Linux with these Automox Worklets
The team of experts at Automox has created the Mitigate CVE-2022-47966 (Windows/Linux) Worklets, intended to temporarily mitigate the risk of exploitation of CVE-2022-47966.
The Worklets will create and enable host-based firewall rules to block any malicious IPs identified in the Vulnerability Report as well as drop all inbound connections to port 80 or port 443 on target devices hosting the vulnerable ManageEngine software.
Current Automox users will find the Mitigate CVE-2022-47966 (Windows) Worklet directly in the console, here. And for Linux, users can access the Mitigate CVE-2022-47966 (Linux) Worklet, here.
These Worklets allow you to quickly take action and mitigate risk to your devices anywhere an Automox agent is installed, which provides a huge benefit to acting quickly to come up with a remediation plan.
Also, ManageEngine has made patches to all affected (24) products available. However, applying them all can take time. Take action now using the provided Worklets as you plan your next steps.
Best practices to mitigate these vulnerabilities
Manage vulnerabilities and configurations. Make sure all your systems are updated with the latest security patches and that you have adequate firewalls set up to block malicious traffic. Segmenting your networks is also a good practice. This way, if one part of your network is compromised, the rest of the network remains protected.
Manage accounts, permissions, and workstations. You should have a secure process in place to authenticate user sessions and monitor their activities. It's also advisable to use secure remote access software to limit the availability of access points to your systems.
Verify your security controls by selecting an ATT&CK technique. Test technologies against your ATT&CK technique and finely tune your security methods based on the results.
The threat is real, but so are your patching practices
Beat these vulnerabilities by using the Worklets above and the discussed mitigation recommendations. Threat actors are out there, but you have the power to reduce the risk of your organization being compromised.
And remember, security is an ongoing process. Stay vigilant and regularly review and update your systems to be sure you’re always protected.
Start your free trial now.
Get started with Automox in no time.
By submitting this form you agree to our Master Services Agreement and Privacy Policy
