A Zero-day Vulnerability in a Zoho Enterprise Product Published on Twitter


A security researcher released details of a zero-day flaw in a Zoho Enterprise product on Twitter yesterday.

The cyber-security experts who looked at the vulnerability have advised companies around the world that the zero-day issue may be an entry-level point for ransomware gangs to infiltrate and ransom corporate networks.

The bug affects central Server of the Zoho ManageEngine. It is an endpoint security system according to the Zoho web site. Organizations use the software to power their system fleets— such as Android devices, Ubuntu servers or workstations on Mac and Windows.

The software acts within an organization as a central server enabling system administrators to push changes, remotely take control of processes, lock computers, implement access restrictions, and more.

A security researcher named Steven Seeley yesterday released information about an unpatched vulnerability in this app, along with proof-of-concept demo code.

“This bug lets remote attackers execute arbitrary code on ManageEngine Desktop Central’s impacted installations,” Seeley said.

The application (attackers) is performed without the need for authorization, and Seeley added that the code operates on the computer with root rights.

This effectively means hackers will take full control of ManageEngine networks, and the computer fleet of a corporation.

Services such as Zoho’s ManageEngine are also used by organizations who offer centralized IT service — or MSPs.

Several ransomware groups have worked out over the last year that they could threaten MSPs and the tools they use to plant Ransomware on their customers ‘ networks.

The error posted on Twitter today puts at risk all the companies that rely on Zoho ManageEngine, along with all the MSPs who are dependent on it and their customers.

“This sounds like the worst-case scenario for MSPs using this product,” Daniel Goldberg, a malware analyst at Guardicore told. “They get breached, all their customers get breached and it’s a race who will attack first.”

“Ransomware groups at this point have it down to a science,” Goldberg added. “Find a simple reliable exploit like this, attack opportunistic victims, find those with money to pay, and profit.”

According to Nate Warfield, a researcher for the Microsoft Security Response Center, more than 2,300 implementations of Zoho ManageEngine devices are reportedly available online.

All these 2,300 open installs are due to the recent mutual zero-day, equivalent to gates for these businesses.

Leandro Velasco, a KPN security threat expert, also found out in an interview with ZDNet that the flaw is suitable for lateral movement as well.

Even if the Zoho ManageEngine Workspace Central is not released via the Internet, it may be used within its networks.

An intruder that has access to a computer within the network of an organization can use the Zoho zero-day to reach the ManageEngine registry to transfer Ransomware to all machines of the company’s network.

Velasco has also seen such kinds of attacks when tracking REvil (Sodinokibi) infections of Ransomware — one of the first ransomware attacks to hit MSPs and their applications through so-called ‘supply chain attacks’ against broader targets.

This strategy— to target MSPs and their apps— has become a common one among ransomware gangs.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.