Aeronautical Organization Hacked by APTs Exploiting Zoho ManageEngine and Fortinet VPN Vulnerabilities

Advanced persistent threat (APT) actors have recently targeted an aeronautical organization, leveraging known vulnerabilities in Zoho ManageEngine and Fortinet VPN products. This attack highlights the importance of promptly patching software vulnerabilities to prevent unauthorized access.

Vulnerability in Zoho ManageEngine

The first bug, identified as CVE-2022-47966, impacted more than 20 on-premises Zoho ManageEngine products, potentially affecting a wide range of organizations. This critical vulnerability allowed remote attackers to execute arbitrary code on affected systems. Rated with a CVSS score of 9.8, it presented a severe risk to the affected organizations.

Vulnerability in Fortinet VPN

The second vulnerability, tracked as CVE-2022-42475, impacted multiple versions of FortiOS SSL-VPN and FortiProxy SSL-VPN. Recognizing the urgency, emergency patches were released in December 2022 to address this vulnerability. With a CVSS score of 9.8, the flaw presented a significant security risk to organizations relying on these VPN solutions.

APT Exploitation Timeline

Between February and April 2023, a collaborative investigation was conducted by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Cyber National Mission Force (CNMF). Their findings revealed that multiple Advanced Persistent Threats (APTs) had exploited the two vulnerabilities since January 2023 within the targeted aeronautical organization’s network.

Exploitation of CVE-2022-47966

By exploiting CVE-2022-47966, the threat actors were able to gain root-level access to the Zoho ManageEngine ServiceDesk Plus web server. This access allowed them to create a local user account with administrative privileges, perform thorough reconnaissance, deploy malware, and harvest credentials from the system. They also successfully moved laterally within the network, potentially accessing sensitive information.

Uncertain impact on proprietary information

Despite their extensive investigation, CISA, FBI, and CNMF were unable to definitively determine if proprietary information was accessed, altered, or exfiltrated during the attack. The uncertainty regarding the extent of the breach raises concerns about the potential compromise of critical data within the aeronautical organization.

Exploitation of CVE-2022-42475

In addition to exploiting CVE-2022-47966, one of the APT groups targeted the organization’s firewall device by exploiting CVE-2022-42475, a vulnerability affecting Fortinet VPN solutions. The attackers successfully compromised the firewall and established multiple VPN connections in the first half of February. By doing so, they gained unauthorized access to the organization’s network, further jeopardizing its security and confidentiality.

Covering tracks and disabling admin credentials

The APT actors took deliberate steps to cover their tracks and hinder the detection of their activities. They disabled the admin credentials and deleted critical logs, making it challenging for the organization to identify subsequent malicious actions. This obstruction in forensic analysis highlights the sophistication and planning of the cyberattack.

Tools used by the threat actors

During the investigation, it was discovered that the threat actors employed various readily available tools in their attacks. These tools included Mimikatz, Ngrok, ProcDump, Metasploit, anydesk.exe, and others. The use of such tools further illustrates the advanced nature of the attack and the skillset possessed by the APT groups.

Advisory and recommended mitigations

In light of the attack, CISA, FBI, and CNMF have issued an advisory, providing comprehensive information for organizations to enhance their security posture. The advisory includes a detailed timeline of the observed activity, indicators of compromise (IoCs) associated with the attacks, and a list of recommended mitigations to prevent similar attacks.

The recent APT attack on an aeronautical organization serves as a stark reminder of the relentless persistence and evolving tactics employed by cyber threat actors. It underscores the critical importance of promptly patching vulnerabilities and implementing robust security measures. Organizations must remain vigilant, continuously assess their networks for vulnerabilities, and employ proactive measures to safeguard their sensitive data from malicious actors.

Explore more

Why is LinkedIn the Go-To for B2B Advertising Success?

In an era where digital advertising is fiercely competitive, LinkedIn emerges as a leading platform for B2B marketing success due to its expansive user base and unparalleled targeting capabilities. With over a billion users, LinkedIn provides marketers with a unique avenue to reach decision-makers and generate high-quality leads. The platform allows for strategic communication with key industry figures, a crucial

Endpoint Threat Protection Market Set for Strong Growth by 2034

As cyber threats proliferate at an unprecedented pace, the Endpoint Threat Protection market emerges as a pivotal component in the global cybersecurity fortress. By the close of 2034, experts forecast a monumental rise in the market’s valuation to approximately US$ 38 billion, up from an estimated US$ 17.42 billion. This analysis illuminates the underlying forces propelling this growth, evaluates economic

How Will ICP’s Solana Integration Transform DeFi and Web3?

The collaboration between the Internet Computer Protocol (ICP) and Solana is poised to redefine the landscape of decentralized finance (DeFi) and Web3. Announced by the DFINITY Foundation, this integration marks a pivotal step in advancing cross-chain interoperability. It follows the footsteps of previous successful integrations with Bitcoin and Ethereum, setting new standards in transactional speed, security, and user experience. Through

Embedded Finance Ecosystem – A Review

In the dynamic landscape of fintech, a remarkable shift is underway. Embedded finance is taking the stage as a transformative force, marking a significant departure from traditional financial paradigms. This evolution allows financial services such as payments, credit, and insurance to seamlessly integrate into non-financial platforms, unlocking new avenues for service delivery and consumer interaction. This review delves into the

Certificial Launches Innovative Vendor Management Program

In an era where real-time data is paramount, Certificial has unveiled its groundbreaking Vendor Management Partner Program. This initiative seeks to transform the cumbersome and often error-prone process of insurance data sharing and verification. As a leader in the Certificate of Insurance (COI) arena, Certificial’s Smart COI Network™ has become a pivotal tool for industries relying on timely insurance verification.