A U.S. aeronautical organization was compromised in back-to-back attacks by multiple nation-state threat actors leveraging well-known Zoho and Fortinet vulnerabilities.
Both vulnerabilities are rated critical and included in the Known Exploited Vulnerabilities (KEV) Catalog, prompting a reminder from security agencies about the importance of patching all systems, including firewall security appliances, for KEVs.
The attacks on the unnamed organization were detailed in a Thursday advisory authored by CISA, the FBI and the Cyber National Mission Force (CNMF).
The advisory said nation-state advanced persistent threat (APT) groups exploited a critical remote code execution vulnerability (CVE-2022-47966) to gain unauthorized access to the organization’s Zoho ManageEngine ServiceDesk Plus instance, and then moved laterally through its network.
Other APT groups exploited a heap-based buffer overflow vulnerability (CVE-2022-42475) in FortiOS SSL-VPN to establish presence on the organization’s Fortinet firewall device.
The attacks are believed to have begun in January this year. CISA conducted an incident response engagement between February and April, identifying “an array of threat actor activity”.
The advisory did not attribute the attack to any specific threat groups, but noted CISA’s investigation uncovered overlapping tactics, techniques and procedures (TTPs) that could be ascribed to multiple APT groups.
Through the Zoho exploit, the threat actors were able to achieve root level web server access and create a local user account with administrative privileges.
“Actors were further able to download malware, enumerate the network, collect administrative user credentials, and move laterally through the organization’s network,” the advisory stated.
It was unclear if the attacks resulted in data being accessed, altered or exfiltrated. “This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage.”
Cisco Talos last month reported observing North Korean state-sponsored APT Lazarus Group exploiting the same Zoho ManageEngine vulnerability to launch attacks on a midsized internet backbone provider in the United Kingdom, and multiple healthcare entities in Europe and the United States.
In the attacks against the aeronautical organization’s Fortinet firewall, carried out between February 1-16, the advisory said the APT groups compromised and exploited legitimate administrative account credentials used by a contractor previously hired by the organization. The credentials were disabled prior to the attack.
“Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment,” the advisory said.
“This prevented the ability to detect follow-on exploitation or data exfiltration.”
One of the security agencies’ recommendations in the advisory was that organizations remove all unnecessary and disabled accounts and groups related to applications on their networks if they are no longer needed, especially privileged accounts.
In June, the same FortiOS vulnerability was used in an attack against a U.S. cancer center.
In their advisory, the three agencies said the attacks against the aeronautical organization highlighted how APT groups often scanned internet-facing devices for vulnerabilities that could be easily exploited. “Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors,” they warned. “When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both.”
