Advanced persistent threat (APT) actors have exploited known vulnerabilities in Zoho ManageEngine and Fortinet VPN products to hack an organization in the aeronautical sector, according to a joint report from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Cyber Command’s Cyber National Mission Force (CNMF).
Impacting more than 20 on-premises Zoho ManageEngine products, the first bug, tracked as CVE-2022-47966 (CVSS score of 9.8), allows remote attackers to execute arbitrary code on affected systems.
The critical-severity issue was patched in November 2022, but the first signs of exploitation were observed in January 2023, shortly before a proof-of-concept (PoC) exploit targeting the flaw was published. At the time, security firms identified thousands of exposed ManagedEngine instances.
The second vulnerability, CVE-2022-42475 (CVSS score of 9.8), impacts multiple FortiOS SSL-VPN and FortiProxy SSL-VPN versions, and was addressed with emergency patches in December 2022.
In January 2023, however, Mandiant warned that the vulnerability had been exploited by Chinese hackers as a zero-day, before the patches were released, in attacks aimed at a European government organization and a managed service provider in Africa.
After investigating between February and April 2023, CISA, FBI, and CNMF discovered that multiple APTs exploited the two flaws starting in January this year, to establish persistence on an aeronautical organization’s network.
“CISA and co-sealers assess that beginning as early as January 2023, multiple nation-state APT actors were present on the organization’s network via at least two initial access vectors,” the three agencies note in an advisory (PDF).
By exploiting CVE-2022-47966, the attackers gained root level access to the web server hosting Zoho ManageEngine ServiceDesk Plus, created a local user account with administrative privileges, performed reconnaissance, deployed malware, harvested credentials, and moved laterally into the network.
“CISA and co-sealers were unable to determine if proprietary information was accessed, altered, or exfiltrated. This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage,” the advisory reads.
Another APT, the advisory reveals, exploited CVE-2022-42475 to compromise the organization’s firewall device and establish multiple VPN connections during the first half of February. The attackers disabled admin credentials and deleted logs, preventing the detection of follow-up activities.
“It was identified that APT actors compromised and used disabled, legitimate administrative account credentials from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity,” the advisory explains.
The attackers established multiple TLS-encrypted sessions to transfer data from the compromised firewall and moved laterally to a web server, where they deployed web shells.
The investigation revealed that the threat actors used multiple readily available tools during their attacks, including Mimikatz (credential dumping), Ngrok (creates private connection tunnel), ProcDump (process dumper), Metasploit, anydesk.exe (remote access), and others.
In their advisory, CISA, FBI, and CNMF provide information on these tools, a detailed timeline of the observed activity, indicators of compromise (IoCs) associated with the attacks, and a list of recommended mitigations to prevent similar attacks.