Advanced persistent threat (APT) actors have recently targeted an aeronautical organization, leveraging known vulnerabilities in Zoho ManageEngine and Fortinet VPN products. This attack highlights the importance of promptly patching software vulnerabilities to prevent unauthorized access.
Vulnerability in Zoho ManageEngine
The first bug, identified as CVE-2022-47966, impacted more than 20 on-premises Zoho ManageEngine products, potentially affecting a wide range of organizations. This critical vulnerability allowed remote attackers to execute arbitrary code on affected systems. Rated with a CVSS score of 9.8, it presented a severe risk to the affected organizations.
Vulnerability in Fortinet VPN
The second vulnerability, tracked as CVE-2022-42475, impacted multiple versions of FortiOS SSL-VPN and FortiProxy SSL-VPN. Recognizing the urgency, emergency patches were released in December 2022 to address this vulnerability. With a CVSS score of 9.8, the flaw presented a significant security risk to organizations relying on these VPN solutions.
APT Exploitation Timeline
Between February and April 2023, a collaborative investigation was conducted by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Cyber National Mission Force (CNMF). Their findings revealed that multiple Advanced Persistent Threats (APTs) had exploited the two vulnerabilities since January 2023 within the targeted aeronautical organization’s network.
Exploitation of CVE-2022-47966
By exploiting CVE-2022-47966, the threat actors were able to gain root-level access to the Zoho ManageEngine ServiceDesk Plus web server. This access allowed them to create a local user account with administrative privileges, perform thorough reconnaissance, deploy malware, and harvest credentials from the system. They also successfully moved laterally within the network, potentially accessing sensitive information.
Uncertain impact on proprietary information
Despite their extensive investigation, CISA, FBI, and CNMF were unable to definitively determine if proprietary information was accessed, altered, or exfiltrated during the attack. The uncertainty regarding the extent of the breach raises concerns about the potential compromise of critical data within the aeronautical organization.
Exploitation of CVE-2022-42475
In addition to exploiting CVE-2022-47966, one of the APT groups targeted the organization’s firewall device by exploiting CVE-2022-42475, a vulnerability affecting Fortinet VPN solutions. The attackers successfully compromised the firewall and established multiple VPN connections in the first half of February. By doing so, they gained unauthorized access to the organization’s network, further jeopardizing its security and confidentiality.
Covering tracks and disabling admin credentials
The APT actors took deliberate steps to cover their tracks and hinder the detection of their activities. They disabled the admin credentials and deleted critical logs, making it challenging for the organization to identify subsequent malicious actions. This obstruction in forensic analysis highlights the sophistication and planning of the cyberattack.
Tools used by the threat actors
During the investigation, it was discovered that the threat actors employed various readily available tools in their attacks. These tools included Mimikatz, Ngrok, ProcDump, Metasploit, anydesk.exe, and others. The use of such tools further illustrates the advanced nature of the attack and the skillset possessed by the APT groups.
Advisory and recommended mitigations
In light of the attack, CISA, FBI, and CNMF have issued an advisory, providing comprehensive information for organizations to enhance their security posture. The advisory includes a detailed timeline of the observed activity, indicators of compromise (IoCs) associated with the attacks, and a list of recommended mitigations to prevent similar attacks.
The recent APT attack on an aeronautical organization serves as a stark reminder of the relentless persistence and evolving tactics employed by cyber threat actors. It underscores the critical importance of promptly patching vulnerabilities and implementing robust security measures. Organizations must remain vigilant, continuously assess their networks for vulnerabilities, and employ proactive measures to safeguard their sensitive data from malicious actors.