State-backed hacking groups have breached a U.S. aeronautical organization using exploits targeting critical Zoho ManageEngine and Fortinet vulnerabilities, a joint advisory published by CISA, the FBI, and the United States Cyber Command (USCYBERCOM) revealed on Thursday.
The threat groups behind this breach are yet to be named, but while the joint advisory didn’t connect the attackers to a specific state, USCYBERCOM’s press release links the malicious actors to Iranian exploitation efforts.
CISA was part of the incident response between February and April and said the hacking groups had been in the compromised aviation organization’s network since at least January after hacking an Internet-exposed server running Zoho ManageEngine ServiceDesk Plus and a Fortinet firewall.
“CISA, FBI, and CNMF confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network,” reads the advisory.
“This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.”
As the three U.S. agencies warn, these threat groups frequently scan for vulnerabilities on Internet-facing devices unpatched against critical and easy-to-exploit security bugs.
After infiltrating a target’s network, the attackers will maintain persistence on hacked network infrastructure components. These network devices will likely be used as stepping stones for lateral movement within the victims’ networks, as malicious infrastructure, or a combination of both.
They include but are not limited to securing all systems against all known exploited vulnerabilities, monitoring for unauthorized use of remote access software, and removing unnecessary (disabled) accounts and groups (especially privileged accounts).
Previous attacks and warnings to secure systems
CISA ordered federal agencies to secure their systems against CVE-2022-47966 exploits in January, days after threat actors started targeting unpatched ManageEngine instances exposed online to open reverse shells after proof-of-concept (PoC) exploit code was released online.
Months after CISA’s warning, the North Korean Lazarus hacking group also started exploiting the Zoho ManageEngine flaw, successfully breaching healthcare organizations and an internet backbone infrastructure provider.
The CVE-2022-42475 FortiOS SSL-VPN vulnerability was also exploited as a zero-day in attacks against government organizations and related targets, as Fortinet disclosed in January.
Fortinet also cautioned that additional malicious payloads were downloaded onto the compromised devices during the attacks, payloads that could not be retrieved for analysis.
Customers were first urged to patch their appliances against ongoing attacks in mid-December after Fortinet quietly fixed the bug on November 28 without releasing information that it was already being exploited in the wild.
Update September 11, 06:39 EDT: Changed Zoho to ManageEngine in the title to avoid confusion.
Update September 11, 08:31 EDT: A Zoho spokesperson sent the following statement after the article was published:
ManageEngine would like to clarify that CVE-2022-47966 refers to a vulnerability in ManageEngine branded on-premises (locally installable) products, which was successfully patched in late 2022. For more details, please refer to our security advisory at: https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html.
Given that the affected products are on-premises, we emphasize the importance of consistently updating your installations whenever we release security patches. Rest assured, if you have upgraded your ManageEngine products with our 2022 patch, they remain unaffected by CVE-2022-47966.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.