A joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United States Cyber Command (USCYBERCOM) on Thursday revealed that state-backed hacking groups have exploited critical vulnerabilities in Zoho and Fortinet systems to infiltrate a US aviation organization. The threat groups involved have not been identified, but a press release from USCYBERCOM has linked the malicious actors to Iranian exploitation efforts.
CISA was involved in the incident response between February and April and stated that the hacking groups had infiltrated the aviation organization's network since at least January. The hackers gained access to the network by exploiting an internet-exposed server running Zoho ManageEngine ServiceDesk Plus and a Fortinet firewall. "CISA, FBI, and CNMF confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network," the advisory stated.
These threat groups are known to continuously scan for vulnerabilities in internet-facing devices that have not been patched against critical and easy-to-exploit security bugs. Once they infiltrate a target's network, the attackers maintain persistence on hacked network infrastructure components. These components are likely to be used for lateral movement within the victims' networks, as malicious infrastructure, or both.
Network defenders are advised to apply the mitigations shared in the advisory and follow the National Security Agency's best practices for securing infrastructure. These practices include securing all systems against all known exploited vulnerabilities, monitoring for unauthorized use of remote access software, and removing unnecessary accounts and groups, especially privileged accounts.
In January, CISA directed federal agencies to secure their systems against CVE-2022-47966 exploits, just days after threat actors began targeting unpatched ManageEngine instances exposed online to open reverse shells after proof-of-concept (PoC) exploit code was released online. Subsequently, the North Korean Lazarus hacking group also began exploiting the Zoho flaw, successfully breaching healthcare organizations and an internet backbone infrastructure provider.
The FBI and CISA have issued multiple alerts regarding state-backed groups exploiting ManageEngine flaws to target critical infrastructure, including financial services and healthcare. The CVE-2022-42475 FortiOS SSL-VPN vulnerability was also exploited as a zero-day in attacks against government organizations and related targets, as Fortinet disclosed in January. Fortinet also warned that additional malicious payloads were downloaded onto the compromised devices during the attacks, payloads that could not be retrieved for analysis. Customers were first urged to patch their appliances against ongoing attacks in mid-December after Fortinet quietly fixed the bug on November 28 without releasing information that it was already being exploited in the wild.