The US Cybersecurity and Infrastructure Security Agency (CISA) warned on Thursday that several state actors are exploiting security vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems.
“National-level advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally across the network,” according to a report. common alert released by the agency, alongside the Federal Bureau of Investigation (FBI) and the Cyber National Mission Force (CNMF).
The identity of the threat groups behind the attacks has not been revealed, although US Cyber Command (USCYBERCOM) suggests to the involvement of Iranian nation-state crews.
The findings are based on an incident response mission conducted by CISA to an unnamed aviation industry organization from February to April 2023. There is evidence to suggest that malicious activity began as early as January 18, 2023.
CVE-2022-47966 refers to a critical remote code execution flaw that allows an unauthenticated attacker to completely take control of sensitive instances.
Following the successful exploitation of CVE-2022-47966, the threat actors gained root-level access to the web server and took steps to download additional malware, enumerate the network, harvest credentials administrative users and move laterally on the network.
It is not immediately clear whether any proprietary information was stolen as a result.
The entity in question was also allegedly hacked using a second initial access vector that involved exploiting CVE-2022-42475, a serious Fortinet FortiOS SSL-VPN bug, to gain access to the firewall.
“It was identified that APT actors compromised and used legitimate, deactivated administrative account credentials of a previously hired contractor, whose user organization confirmed had been deactivated prior to the activity observed,” CISA said.
The attackers were also observed launching multiple Transport Layer Security (TLS) – encrypted sessions to multiple IP addresses, indicating data transfer from the firewall device, in addition to leveraging valid credentials to pass from the firewall to a web server and deploy web shells for access through backdoor.
In both cases, the adversaries allegedly disabled administrative account credentials and deleted logs from several critical servers in the environment in an attempt to erase the forensic trail of their activities.
Way Too Vulnerable: Uncovering the State of the Identity Attack Surface
MFA achieved? WFP? Service account protection? Find out how equipped your organization really is against identity threats
“Between early February and mid-March 2023, anydesk.exe was observed on three hosts,” CISA noted. “APT actors compromised one host and moved laterally to install the executable on the other two.”
It is currently unknown how AnyDesk was installed on each machine. Another technique used in the attacks involved using the legitimate ConnectWise ScreenConnect client to download and run the Mimikatz credential dumping tool.
Additionally, actors attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228 or Log4Shell) in the ServiceDesk system for initial access, but were unsuccessful.
In light of the continued exploitation of security vulnerabilities, it is recommended that organizations apply the latest updates, monitor any unauthorized use of remote access software, and remove unnecessary accounts and groups to prevent any abuse.