A security advisory from the CISA, the FBI, and the Cyber National Mission Force detailed about a Multiple Nation state threat actors have leveraged popular vulnerabilities of Zoho and Fortinet and compromised U.S. aeronautical organization in back-to-back attacks.
Both vulnerabilities are rated as critical and were part of Known Exploited Vulnerabilities Catalog, prompting a reminder from security agencies about the importance of patching all systems,
As per the advisory, the nation-state APT groups exploited a critical remote code execution vulnerability (CVE-2022-47966) to gain unauthorized access to the organization’s Zoho ManageEngine ServiceDesk Plus instance, and then moved laterally through its network.
Other APT groups exploited a heap-based buffer overflow vulnerability (CVE-2022-42475) in FortiOS SSL-VPN to establish presence on the organization’s Fortinet firewall device.
The attacks are believed to have begun in January this year. CISA conducted an incident response engagement between February and April, identifying “an array of threat actor activity”.
The advisory did not attribute the attack to any specific threat groups but noted CISA’s investigation uncovered overlapping (TTPs) that could be ascribed to multiple APT groups. Through the Zoho exploit, the threat actors were able to achieve root level web server access and create a local user account with administrative privileges.
It was unclear if the attacks resulted in data being accessed, altered or exfiltrated. “This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage.”
In the attacks against the aeronautical organization’s Fortinet firewall, carried out between February 1-16, the advisory said the APT groups compromised and exploited legitimate administrative account credentials used by a contractor previously hired by the organization. The credentials were disabled prior to the attack.
One of the security agencies’ recommendations in the advisory was that organizations remove all unnecessary and disabled accounts and groups related to applications on their networks if they are no longer needed, especially privileged accounts.
The advisory warned that firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors.