Multiple nation-state actors [2] [3] [8], including those from China, Iran [6], and North Korea [6], have been targeting vulnerabilities in Zoho ManageEngine ServiceDesk Plus and Fortinet FortiOS SSL-VPN [3] [4] [9], according to cybersecurity officials [6].
Description
These actors exploited critical vulnerabilities [3] [9], specifically CVE-2022-47966 and CVE-2022-42475 [2] [3] [7] [10], to gain unauthorized access to an organization’s systems [3] [7]. By exploiting CVE-2022-47966 [1] [2] [5] [7], a remote code execution flaw in Zoho ManageEngine, the threat actors breached a web server hosting Zoho ManageEngine ServiceDesk Plus [6]. This allowed them to obtain root-level access, download additional malware [2], collect administrative user credentials [2] [5] [7] [8] [9], and move laterally through the network [2] [3] [4] [7].
Additionally, the attackers exploited CVE-2022-42475 [5], a heap-based buffer overflow vulnerability in Fortinet FortiOS SSL-VPN, to access the organization’s firewall and establish multiple VPN connections from malicious IP addresses [6].
The organization’s lack of clear data location definitions and limited network sensor coverage made it difficult to determine if proprietary information was accessed or exfiltrated [7].
To prevent exploitation by malicious actors [6], organizations should promptly patch these vulnerabilities and remove unnecessary and disabled accounts. It is also important to enable Network Address Translation IP logging and monitor for unauthorized access to enhance detection capabilities.
Conclusion
The exploitation of these vulnerabilities highlights the need for organizations to prioritize cybersecurity measures. The impacts of these attacks can be severe, including unauthorized access [2] [3] [6] [7] [8] [9], data breaches, and potential loss of proprietary information. Mitigations such as promptly patching vulnerabilities, removing unnecessary accounts [2] [3], and enabling monitoring systems can help prevent and detect unauthorized access. Looking forward, organizations should continue to stay vigilant and proactive in their cybersecurity efforts to protect against future threats.
References
[1] https://www.tenable.com/blog/aa23-250a-multiple-nation-state-threat-actors-exploit-cve-2022-47966-and-cve-2022-42475
[2] https://thehackernews.com/2023/09/cisa-warning-nation-state-hackers.html
[3] https://www.scmagazine.com/news/apts-hit-aeronautic-firms-with-zoho-and-fortinet-bugs
[4] https://allinfosecnews.com/item/apt-actors-exploited-known-zoho-fortinet-flaws-to-hit-aeronautical-org-2023-09-07/
[5] https://secoperations.wordpress.com/2023/09/09/nation-state-actors-exploit-fortinet-fortios-ssl-vpn-and-zoho-manageengine-servicedesk-plus-cisa-warns/
[6] https://www.databreachtoday.com/feds-urge-immediately-patching-zoho-fortinet-products-a-23038
[7] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-250a
[8] https://vulners.com/thn/THN:1AFD9B38CF83CBCCF34CEA589CD5838B
[9] https://duo.com/decipher/apt-exploited-known-zoho-fortinet-flaws-to-hit-aeronautical-entity
[10] https://www.picussecurity.com/resource/blog/cve-2022-47966-and-cve-2022-42475-cisa
