Aeronautical Organization Hacked by APTs Exploiting Zoho ManageEngine and Fortinet VPN Vulnerabilities

Advanced persistent threat (APT) actors have recently targeted an aeronautical organization, leveraging known vulnerabilities in Zoho ManageEngine and Fortinet VPN products. This attack highlights the importance of promptly patching software vulnerabilities to prevent unauthorized access.

Vulnerability in Zoho ManageEngine

The first bug, identified as CVE-2022-47966, impacted more than 20 on-premises Zoho ManageEngine products, potentially affecting a wide range of organizations. This critical vulnerability allowed remote attackers to execute arbitrary code on affected systems. Rated with a CVSS score of 9.8, it presented a severe risk to the affected organizations.

Vulnerability in Fortinet VPN

The second vulnerability, tracked as CVE-2022-42475, impacted multiple versions of FortiOS SSL-VPN and FortiProxy SSL-VPN. Recognizing the urgency, emergency patches were released in December 2022 to address this vulnerability. With a CVSS score of 9.8, the flaw presented a significant security risk to organizations relying on these VPN solutions.

APT Exploitation Timeline

Between February and April 2023, a collaborative investigation was conducted by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Cyber National Mission Force (CNMF). Their findings revealed that multiple Advanced Persistent Threats (APTs) had exploited the two vulnerabilities since January 2023 within the targeted aeronautical organization’s network.

Exploitation of CVE-2022-47966

By exploiting CVE-2022-47966, the threat actors were able to gain root-level access to the Zoho ManageEngine ServiceDesk Plus web server. This access allowed them to create a local user account with administrative privileges, perform thorough reconnaissance, deploy malware, and harvest credentials from the system. They also successfully moved laterally within the network, potentially accessing sensitive information.

Uncertain impact on proprietary information

Despite their extensive investigation, CISA, FBI, and CNMF were unable to definitively determine if proprietary information was accessed, altered, or exfiltrated during the attack. The uncertainty regarding the extent of the breach raises concerns about the potential compromise of critical data within the aeronautical organization.

Exploitation of CVE-2022-42475

In addition to exploiting CVE-2022-47966, one of the APT groups targeted the organization’s firewall device by exploiting CVE-2022-42475, a vulnerability affecting Fortinet VPN solutions. The attackers successfully compromised the firewall and established multiple VPN connections in the first half of February. By doing so, they gained unauthorized access to the organization’s network, further jeopardizing its security and confidentiality.

Covering tracks and disabling admin credentials

The APT actors took deliberate steps to cover their tracks and hinder the detection of their activities. They disabled the admin credentials and deleted critical logs, making it challenging for the organization to identify subsequent malicious actions. This obstruction in forensic analysis highlights the sophistication and planning of the cyberattack.

Tools used by the threat actors

During the investigation, it was discovered that the threat actors employed various readily available tools in their attacks. These tools included Mimikatz, Ngrok, ProcDump, Metasploit, anydesk.exe, and others. The use of such tools further illustrates the advanced nature of the attack and the skillset possessed by the APT groups.

Advisory and recommended mitigations

In light of the attack, CISA, FBI, and CNMF have issued an advisory, providing comprehensive information for organizations to enhance their security posture. The advisory includes a detailed timeline of the observed activity, indicators of compromise (IoCs) associated with the attacks, and a list of recommended mitigations to prevent similar attacks.

The recent APT attack on an aeronautical organization serves as a stark reminder of the relentless persistence and evolving tactics employed by cyber threat actors. It underscores the critical importance of promptly patching vulnerabilities and implementing robust security measures. Organizations must remain vigilant, continuously assess their networks for vulnerabilities, and employ proactive measures to safeguard their sensitive data from malicious actors.

Explore more

Why Are Small Businesses Losing Confidence in Marketing?

In the ever-evolving landscape of commerce, small and mid-sized businesses (SMBs) globally are grappling with a perplexing challenge: despite pouring more time, energy, and resources into marketing, their confidence in achieving impactful results is waning, and recent findings reveal a stark reality where only a fraction of these businesses feel assured about their strategies. Many struggle to measure success or

How Are AI Agents Revolutionizing Chatbot Marketing?

In an era where digital interaction shapes customer expectations, Artificial Intelligence (AI) is fundamentally altering the landscape of chatbot marketing with unprecedented advancements. Once limited to answering basic queries through rigid scripts, chatbots have evolved into sophisticated AI agents capable of managing intricate workflows and delivering seamless engagement. Innovations like Silverback AI Chatbot’s updated framework exemplify this transformation, pushing the

How Does Klaviyo Lead AI-Driven B2C Marketing in 2025?

In today’s rapidly shifting landscape of business-to-consumer (B2C) marketing, artificial intelligence (AI) has emerged as a pivotal force, reshaping how brands forge connections with their audiences. At the forefront of this transformation stands Klaviyo, a marketing platform that has solidified its reputation as an industry pioneer. By harnessing sophisticated AI technologies, Klaviyo enables companies to craft highly personalized customer experiences,

How Does Azure’s Trusted Launch Upgrade Enhance Security?

In an era where cyber threats are becoming increasingly sophisticated, businesses running workloads in the cloud face constant challenges in safeguarding their virtual environments from advanced attacks like bootkits and firmware exploits. A significant step forward in addressing these concerns has emerged with a recent update from Microsoft, introducing in-place upgrades for a key security feature on Azure Virtual Machines

How Does Digi Power X Lead with ARMS 200 AI Data Centers?

In an era where artificial intelligence is reshaping industries at an unprecedented pace, the demand for robust, reliable, and scalable data center infrastructure has never been higher, and Digi Power X is stepping up to meet this challenge head-on with innovative solutions. This NASDAQ-listed energy infrastructure company, under the ticker DGXX, recently made headlines with a groundbreaking achievement through its