Connect with us

Hi, what are you looking for?



US Aeronautical Organization Hacked via Zoho, Fortinet Vulnerabilities 

APTs exploited vulnerabilities in Zoho ManageEngine and Fortinet VPNs to hack an aerospace organization in early January 2023.

Advanced persistent threat (APT) actors have exploited known vulnerabilities in Zoho ManageEngine and Fortinet VPN products to hack an organization in the aeronautical sector, according to a joint report from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Cyber Command’s Cyber National Mission Force (CNMF).

Impacting more than 20 on-premises Zoho ManageEngine products, the first bug, tracked as CVE-2022-47966 (CVSS score of 9.8), allows remote attackers to execute arbitrary code on affected systems.

The critical-severity issue was patched in November 2022, but the first signs of exploitation were observed in January 2023, shortly before a proof-of-concept (PoC) exploit targeting the flaw was published. At the time, security firms identified thousands of exposed ManagedEngine instances.

The second vulnerability, CVE-2022-42475 (CVSS score of 9.8), impacts multiple FortiOS SSL-VPN and FortiProxy SSL-VPN versions, and was addressed with emergency patches in December 2022.

In January 2023, however, Mandiant warned that the vulnerability had been exploited by Chinese hackers as a zero-day, before the patches were released, in attacks aimed at a European government organization and a managed service provider in Africa.

After investigating between February and April 2023, CISA, FBI, and CNMF discovered that multiple APTs exploited the two flaws starting in January this year, to establish persistence on an aeronautical organization’s network.

“CISA and co-sealers assess that beginning as early as January 2023, multiple nation-state APT actors were present on the organization’s network via at least two initial access vectors,” the three agencies note in an advisory (PDF).

Advertisement. Scroll to continue reading.

By exploiting CVE-2022-47966, the attackers gained root level access to the web server hosting Zoho ManageEngine ServiceDesk Plus, created a local user account with administrative privileges, performed reconnaissance, deployed malware, harvested credentials, and moved laterally into the network.

“CISA and co-sealers were unable to determine if proprietary information was accessed, altered, or exfiltrated. This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage,” the advisory reads.

Another APT, the advisory reveals, exploited CVE-2022-42475 to compromise the organization’s firewall device and establish multiple VPN connections during the first half of February. The attackers disabled admin credentials and deleted logs, preventing the detection of follow-up activities.

“It was identified that APT actors compromised and used disabled, legitimate administrative account credentials from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity,” the advisory explains.

The attackers established multiple TLS-encrypted sessions to transfer data from the compromised firewall and moved laterally to a web server, where they deployed web shells.

The investigation revealed that the threat actors used multiple readily available tools during their attacks, including Mimikatz (credential dumping), Ngrok (creates private connection tunnel), ProcDump (process dumper), Metasploit, anydesk.exe (remote access), and others.

In their advisory, CISA, FBI, and CNMF provide information on these tools, a detailed timeline of the observed activity, indicators of compromise (IoCs) associated with the attacks, and a list of recommended mitigations to prevent similar attacks.

Related: North Korean APT Hacks Internet Infrastructure Provider via ManageEngine Flaw

Related: Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant

Related: Exploitation of Recent Citrix ShareFile RCE Vulnerability Begins

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.