Aeronautical Organization Hacked by APTs Exploiting Zoho ManageEngine and Fortinet VPN Vulnerabilities

Advanced persistent threat (APT) actors have recently targeted an aeronautical organization, leveraging known vulnerabilities in Zoho ManageEngine and Fortinet VPN products. This attack highlights the importance of promptly patching software vulnerabilities to prevent unauthorized access.

Vulnerability in Zoho ManageEngine

The first bug, identified as CVE-2022-47966, impacted more than 20 on-premises Zoho ManageEngine products, potentially affecting a wide range of organizations. This critical vulnerability allowed remote attackers to execute arbitrary code on affected systems. Rated with a CVSS score of 9.8, it presented a severe risk to the affected organizations.

Vulnerability in Fortinet VPN

The second vulnerability, tracked as CVE-2022-42475, impacted multiple versions of FortiOS SSL-VPN and FortiProxy SSL-VPN. Recognizing the urgency, emergency patches were released in December 2022 to address this vulnerability. With a CVSS score of 9.8, the flaw presented a significant security risk to organizations relying on these VPN solutions.

APT Exploitation Timeline

Between February and April 2023, a collaborative investigation was conducted by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Cyber National Mission Force (CNMF). Their findings revealed that multiple Advanced Persistent Threats (APTs) had exploited the two vulnerabilities since January 2023 within the targeted aeronautical organization’s network.

Exploitation of CVE-2022-47966

By exploiting CVE-2022-47966, the threat actors were able to gain root-level access to the Zoho ManageEngine ServiceDesk Plus web server. This access allowed them to create a local user account with administrative privileges, perform thorough reconnaissance, deploy malware, and harvest credentials from the system. They also successfully moved laterally within the network, potentially accessing sensitive information.

Uncertain impact on proprietary information

Despite their extensive investigation, CISA, FBI, and CNMF were unable to definitively determine if proprietary information was accessed, altered, or exfiltrated during the attack. The uncertainty regarding the extent of the breach raises concerns about the potential compromise of critical data within the aeronautical organization.

Exploitation of CVE-2022-42475

In addition to exploiting CVE-2022-47966, one of the APT groups targeted the organization’s firewall device by exploiting CVE-2022-42475, a vulnerability affecting Fortinet VPN solutions. The attackers successfully compromised the firewall and established multiple VPN connections in the first half of February. By doing so, they gained unauthorized access to the organization’s network, further jeopardizing its security and confidentiality.

Covering tracks and disabling admin credentials

The APT actors took deliberate steps to cover their tracks and hinder the detection of their activities. They disabled the admin credentials and deleted critical logs, making it challenging for the organization to identify subsequent malicious actions. This obstruction in forensic analysis highlights the sophistication and planning of the cyberattack.

Tools used by the threat actors

During the investigation, it was discovered that the threat actors employed various readily available tools in their attacks. These tools included Mimikatz, Ngrok, ProcDump, Metasploit, anydesk.exe, and others. The use of such tools further illustrates the advanced nature of the attack and the skillset possessed by the APT groups.

Advisory and recommended mitigations

In light of the attack, CISA, FBI, and CNMF have issued an advisory, providing comprehensive information for organizations to enhance their security posture. The advisory includes a detailed timeline of the observed activity, indicators of compromise (IoCs) associated with the attacks, and a list of recommended mitigations to prevent similar attacks.

The recent APT attack on an aeronautical organization serves as a stark reminder of the relentless persistence and evolving tactics employed by cyber threat actors. It underscores the critical importance of promptly patching vulnerabilities and implementing robust security measures. Organizations must remain vigilant, continuously assess their networks for vulnerabilities, and employ proactive measures to safeguard their sensitive data from malicious actors.

Explore more

Is AI Fueling Microsoft’s Record-Breaking 570 Patches?

The sheer volume of security vulnerabilities emerging within the enterprise ecosystem has reached a critical inflection point, forcing a fundamental reassessment of how major software vendors manage their codebases. As Microsoft crosses the threshold of issuing 570 distinct patches within a single reporting cycle, industry analysts are looking closely at the underlying drivers of this surge. A primary suspect in

Claude or GitHub Copilot: Which Is Best for Your Enterprise?

The current landscape of corporate technology has shifted fundamentally as generative artificial intelligence moves from being a speculative novelty to a central pillar of global production infrastructure. Today’s enterprises are no longer merely experimenting with automation or basic chatbots; they are actively integrating sophisticated “smart workers” directly into their most sensitive IT frameworks to maintain a competitive edge. This evolution

How AI Revolutionizes Social Media Analytics in 2026

The rapid integration of generative models into social media infrastructure has fundamentally altered how organizations interpret the chaotic flow of digital information. No longer are marketing professionals forced to manually sift through endless spreadsheets or rely on delayed monthly reports to understand consumer sentiment. Instead, the current technological environment provides a seamless stream of real-time intelligence that identifies shifts in

The Structural Shift Toward Creator Equity in B2B Marketing

The era of the transactional influencer campaign has reached a decisive turning point as sophisticated organizations begin to realize that renting an audience for a few weeks is far less effective than owning a share of the attention economy through permanent equity partnerships. For years, the standard operating procedure for Business-to-Business marketing involved paying flat fees for sponsored posts or

SMBs Must Adopt AI Defense to Match Rapid Cyber Threats

The sophisticated landscape of digital warfare has reached a point where manual intervention is no longer a viable primary defense mechanism for small and medium-sized enterprises. Cybercriminals are currently leveraging advanced automation and generative models to execute reconnaissance that used to take months in a matter of mere hours or even minutes. This shift in the threat actor’s playbook allows