CVE-2022-47966

Vulnerability Profile Updated 3 months ago
Download STIX
Preview STIX
CVE-2022-47966 is a critical vulnerability discovered in Zoho ManageEngine ServiceDesk Plus, a widely used IT management software. The flaw was exploited by malicious actors to gain unauthorized access to the organization's systems and networks. The exploitation started just five days after proof-of-concepts (PoCs) for the exploit were publicly disclosed. The threat actors utilized this vulnerability to deliver and deploy a newer malware threat known as "QuiteRAT," which shares many capabilities with the Lazarus Group's MagicRAT malware but has a significantly smaller file size. This vulnerability had a Kenna risk score of 100 out of 100, indicating its high severity. The Peach Sandstorm Advanced Persistent Threat (APT) group was observed attempting to exploit this vulnerability along with another in Atlassian Confluence (CVE-2022-26134) to infiltrate target environments. In 2022, two exploits of the Zoho ManageEngine flaw (CVE-2022-47966) and one ProxyNotShell (CVE-2022-41080, -41082) sample were seen. Remote exploitation of vulnerable applications was a common attack method used by Peach Sandstorm, targeting known remote code execution (RCE) vulnerabilities in both Zoho ManageEngine and Atlas Confluence to gain initial access. North Korea's Lazarus Group and an unknown group that targeted a U.S. aeronautical organization also abused the Zoho ManageEngine vulnerability (CVE-2022-47966). In some instances, threat actors favored exploiting vulnerabilities over password spraying, specifically targeting RCE bugs in Zoho ManageEngine and Confluence. Protection against these threats, including the Zoho ManageEngine Remote Code Execution (CVE-2022-47966), was provided by Check Point IPS. The advisory noted that nation-state APT groups exploited this vulnerability to gain unauthorized access to the organization’s Zoho ManageEngine ServiceDesk Plus instance, subsequently moving laterally through its network.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Manageengine
Vulnerability
Exploit
Remote Code ...
Confluence
Fortinet
RCE (Remote ...
Apt
flaw
Windows
Infiltration
Malware
Exploits
Apache
Uk
Fortios
Iran
Microsoft
CISA
Implant
State Sponso...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CollectionratUnspecified
1
CollectionRAT is a newly identified malware, discovered by cybersecurity researchers who traced its origins through reused infrastructure components. This malicious software, short for Malware, is designed to exploit and damage computers or devices, often infiltrating systems via suspicious download
MagicratUnspecified
1
MagicRAT is a type of malware, first observed by Cisco Talos in 2022, that was used by the Lazarus Group to exploit vulnerabilities in publicly exposed VMWare Horizon platforms, primarily targeting energy companies worldwide. This malicious software, which can infiltrate systems through suspicious d
QuiteratUnspecified
1
QuiteRAT is a new type of malware associated with the North Korea-linked Lazarus Group, known for their use of custom malware. Built using the Qt framework, QuiteRAT is smaller in size compared to MagicRAT, another malware linked to the group, due to its incorporation of fewer Qt libraries and lack
ContiUnspecified
1
Conti is a type of malware, specifically ransomware, known for its ability to disrupt operations, steal personal information, and hold data hostage for ransom. The malicious software infiltrates systems via suspicious downloads, emails, or websites, often unbeknownst to the user. It has been used in
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Peach Sandstormhas used
3
Peach Sandstorm, also known as Curious Serpens, APT33, Elfin, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor group believed to be linked to the Iranian nation-state. The group has been active since at least 2013 and has previously targeted sectors such as aerospace and energy for espionag
Lazarus GroupUnspecified
1
The Lazarus Group, a notorious threat actor believed to be linked to North Korea, has been attributed with a series of significant cyber-attacks over the past few years. The group's malicious activities include the exploitation of digital infrastructure, stealing cryptocurrency, and executing large-
Mint SandstormUnspecified
1
Mint Sandstorm, an Iranian nation-state threat actor also known as APT35 and Charming Kitten, has been identified by Microsoft as a significant cybersecurity concern. The group is linked to Iran's Islamic Revolutionary Guard Corps and is known for its sophisticated cyber campaigns targeting high-val
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2022-26134Unspecified
3
CVE-2022-26134 is a critical software vulnerability that was discovered in Atlassian Confluence Server and Data Center. This flaw, which allows for remote code execution (RCE), was publicly disclosed by Atlassian in June 2022. The Cybersecurity and Infrastructure Security Agency (CISA) recognized th
CVE-2022-42475Unspecified
2
The critical zero-day vulnerability, CVE-2022-42475, was discovered in FortiGate firewalls during an incident investigation by the vendor. This flaw in software design or implementation allows an unauthenticated attacker to execute arbitrary code on affected systems. The vulnerability is present in
CVE-2021-40539Unspecified
1
None
CVE-2022-41080Unspecified
1
CVE-2022-41080 is a significant software vulnerability identified in 2022, specifically a flaw in the design or implementation of Microsoft Exchange Server. This vulnerability enables Server-Side Request Forgery (SSRF), potentially allowing malicious actors to manipulate server requests and execute
Proxynotshell Cve-2022-41080Unspecified
1
None
ProxynotshellUnspecified
1
ProxyNotShell is a software vulnerability, specifically a flaw in the design or implementation of Microsoft Exchange Server. It was first identified and exploited through CVE-2022-41082, as reported by Palo Alto Networks' Unit 42. The ProxyNotShell exploit method leveraged an AutoDiscover endpoint t
Citrix BleedUnspecified
1
Citrix Bleed, identified as CVE-2023-4966, is a severe software vulnerability in Citrix Netscaler Gateway and Netscaler ADC products, with a high CVSS score of 9.4 indicating its critical nature. This flaw allows for sensitive information disclosure, bypassing password requirements and multifactor a
Log4ShellUnspecified
1
Log4Shell is a software vulnerability, specifically a flaw in the design or implementation of the popular Java logging library, Log4j. Identified as CVE-2021-44228, this vulnerability allows an attacker to remotely execute arbitrary code, often leading to full system compromise. Advanced Persistent
Source Document References
Information about the CVE-2022-47966 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
4 months ago
Fortinet Warns of Yet Another Critical RCE Flaw
CERT-EU
7 months ago
Actively exploited 0-days in Ivanti VPN are letting hackers backdoor networks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
BankInfoSecurity
10 months ago
Hackers Impersonate Meta Recruiter to Target Aerospace Firm
CERT-EU
10 months ago
Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders
BankInfoSecurity
10 months ago
Feds Warn Health Sector of Lazarus Group Attacks
CERT-EU
10 months ago
Iranian Hackers Attack Thousands of Organizations Using Password Spraying
Securityaffairs
10 months ago
Iranian Peach Sandstorm group behind recent password spray attacks - Security Affairs
DARKReading
10 months ago
Microsoft: 'Peach Sandstorm' Cyberattacks Target Defense, Pharmaceutical Orgs
CERT-EU
10 months ago
Global password spray attacks target thousands of organizations
CERT-EU
10 months ago
Iranian Threat Group Hits Thousands With Password Spray Campaign
CERT-EU
10 months ago
Cyber Security Week in Review: September 15, 2023
CERT-EU
10 months ago
Iranian Nation-State Actors Employ Password Spray Attacks Targeting Multiple Sectors
DARKReading
10 months ago
Iranian APT Hits US Aviation Org via ManageEngine, Fortinet Bugs
Checkpoint
a year ago
11th September – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
Google warns infoseccers getting N Korea's attention again
CERT-EU
a year ago
APTs hit aeronautic firms with Zoho and Fortinet bugs
CERT-EU
a year ago
SafeBreach Coverage for US-CERT Alert AA23-250A
CERT-EU
a year ago
Aviation sector organization hit by exploit of CVE duo | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
BankInfoSecurity
a year ago
Feds Urge Immediate Patching of Zoho and Fortinet Products
CERT-EU
a year ago
Cyber Security Week in Review: September 8, 2023