Hackers are compromising vulnerable ManageEngine Desktop Central instances
Is your organization using ManageEngine Desktop Central? If the answer is yes, make sure you’ve upgraded to version 10.0.474 or risk falling prey to attackers who are actively exploiting a recently disclosed RCE flaw (CVE-2020-10189) in its software.
We’re seeing this being exploited in the wild. Watch for shady shit dropping out of java.exe, LOLBIN download of 2nd stage via bitsadmin or certutil
Working on a blog post, watch https://t.co/yI3VuU1IIa
— Eric Capuano (@eric_capuano) March 10, 2020
Active exploitation of Zoho ManageEngine (CVE-2020-10189 ) now seen in the wild – https://t.co/LeY8OnAvdR – Some additional IOCs @ https://t.co/IN1ubCXRvp
— chris doman (@chrisdoman) March 9, 2020
About ManageEngine Desktop Central
ManageEngine Desktop Central is developed by ManageEngine, a division of Zoho Corporation, a software development company that focuses on web-based business tools and information technology.
Desktop Central is a unified endpoint management solution that helps companies, including managed service providers (MSPs), to centrally control servers, laptops, smartphones, and tablets.
About the vulnerability (CVE-2020-10189)
CVE-2020-10189 allows for deserialization of untrusted data and allows unauthenticated, remote attackers to execute arbitrary code on affected installations of ManageEngine Desktop Central and achieve SYSTEM/root privileges.
This would allow them to install malicious programs or push malicious updates onto the managed devices, lock them, and so on.
The vulnerability affects Desktop Central versions prior to 10.0.474 and was unearthed by Steven Seeley of Source Incite, who revealed its existence publicly last week through a tweet and security advisory that also links to PoC exploit code.
At the time, the vulnerability was a zero-day (unknown to and unaddressed by the vendor), since Seeley didn’t share his findings with Zoho/ManageEngine prior to the advisory’s publication – ostensibly because “Zoho typically ignores researchers.”
A day later ManageEngine issued a security update (v10.0.479) to correct the flaw and offered mitigation advice.
The danger
Nate Warfield, senior security program manager at Microsoft, used the Shodan search engine to find some 2,300 publicly accessible Desktop Central instances.
But even instances that aren’t exposed externally can be exploited by attackers who have achieved access to the target organization’s through another security hole, allowing them to broaden their presence.
Finally, since the solution is often used by managed service providers (MSPs), compromised Desktop Central instances could result in the simultaneous compromise of many client organizations’ endpoints and, through them, networks.
Organizations who use ManageEngine Desktop Central should upgrade to a safe version as soon as possible.