BLOG: 12 Vulnerabilities of Christmas CVE-2020-10189
Day three of our Christmas vulnerability countdown looks a vulnerability in Zoho ManageEngine. This CVE was targeted to great effect by Chinese state actors, particularly targeting Managed Service Providers (MSPs) for supply chain compromises.
CVE-2020-10189 is a critical vulnerability affecting Zoho’s ManageEngine Desktop Central software, which enables large organisations to manage fleets of corporate devices, including pushing software updates, locking users, taking over their screens for IT support and other feature. Attackers who compromise Desktop Central servers by exploiting this vulnerability would hence be able to control an organisation’s fleet of devices, which may incur potentially catastrophic consequences for lateral movement among corporate networks and devices.
The vulnerability was published on 5 March, 2020. A Metasploit module for related exploits was published a week later on 14 March, allowing threat actors to easily leverage the vulnerability to breach organisations’ Desktop Central servers.
Evidence of active exploitation in the wild came shortly afterwards. Concerns that the vulnerability could be leveraged by ransomware groups to move laterally between the compromised MangeEngine server and corporate devices were swiftly realised. On 28 April, Microsoft published a security advisory stating that it strongly advised companies to patch CVE-2020-10189 in the context of a wave of ransomware attacks against hospitals and other organisations in the health sector.
Concrete evidence of exploitation in the wild surfaced on 25 March with reports of the vulnerability being exploited by APT41, a sophisticated threat actor conducing cyber espionage operations on behalf of the Chinese state. In one such campaign targeting MSPs between January and March 2020, the group was observed successfully leveraging CVE-2020-10189 against organisations as soon as 8 March , days after the initial proof-of-concept for the exploit was released. MSPs have become favourable targets for both state espionage campaigns and ransomware groups as they can facilitate supply-chain compromise of MSPs’ customers, allowing the threat actor to reach multiple victims simultaneously and stealthily.
Interest amongst threat actors was demonstrated early on following the initial disclosure of the vulnerability. Cybercriminals on underground forums registered interest in exploiting the vulnerability on dark web and underground hacking forums, with threads like the one below exploring how to exploit CVE-2020-10189 using Metasploit.
Figure 1: A thread providing instructions on exploiting CVE-2020-10189 using Metasploit on a Turkish hacking forum
Despite active exploitation and the publication of security advisories recommending organisations to urgently patch their Desktop Central servers, we were able to detect 706 servers currently vulnerable to CVE-2020-10189. Most of these vulnerable hosts are located in United States (219), with the United Kingdom (59) and China (31) following behind.
With the high potential of ransomware groups and state espionage units exploiting the vulnerability for rapid lateral movement within organisations’ networks and devices, and the presence of a number of vulnerable hosts worldwide, we advise organisations follow these steps:
Obfuscate HTTP banners to avoid active reconnaissance of these instances by opportunistic threat actors
Upgrade to the latest version of Desktop Central, as the vulnerability affects versions prior to 10.0.479.
Follow the further steps outlined by ManageEngine on their website in order to restore compromised instances and stop further lateral movement.
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.
