CISA Alert: Hackers from nation-states take advantage of vulnerabilities in Fortinet and Zoho


Multiple nation-state actors are using security holes in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to obtain illegal access and establish persistence on compromised systems, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said on Thursday.

According to a joint alert released by the agency, the Federal Bureau of Investigation (FBI), and the Cyber National Mission Force (CNMF), “Nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network.”

The threat organizations responsible for the assaults remain anonymous, however U.S. Cyber Command (USCYBERCOM) made hints about the possible involvement of Iranian nation-state staff.

The conclusions are based on an incident response assignment that CISA carried out from February to April 2023 at an unidentified aviation sector business. Based on available data, it appears that the malicious behavior started on January 18, 2023.

A serious remote code execution vulnerability known as CVE-2022-47966 enables an unauthorized attacker to gain total control of vulnerable instances.

After CVE-2022-47966 was successfully exploited, the threat actors were able to get root-level access to the web server and proceeded to download more malware, scan the network, gather credentials for the administrator user, and navigate laterally via the network.

Whether any confidential information was taken as a result is not immediately apparent.

According to reports, the entity in question was also compromised through the use of a second initial access vector, which involved breaking into the firewall by taking use of a serious vulnerability in Fortinet FortiOS SSL-VPN called CVE-2022-42475.

“APT actors were found to have compromised and exploited valid administrative account credentials that were disabled from a previously hired contractor—the organization having verified that the user had been disabled before the observed activity,” according to CISA.

Additionally, the attackers have been seen using legitimate credentials to hop from the firewall to a web server and launch web shells for backdoor access. This indicates that the attackers are sending data from the firewall device by starting multiple Transport Layer Security (TLS)-encrypted sessions to multiple IP addresses.

In an effort to hide the forensic trail of their actions, the adversaries are reported to have deactivated administrator account credentials and erased logs from a number of important servers in the environment in both cases.

According to CISA, “anydesk.exe was observed on three hosts between early-February and mid-March 2023.” “After breaching one host, APT actors moved laterally to install the executable on the other two hosts.”

The method used to install AnyDesk on each computer is unknown at this time. Utilizing the official ConnectWise ScreenConnect client to download and execute the credential dumping program Mimikatz was another attack method.

However, the actors’ original effort to get access to the ServiceDesk system using a known Apache Log4j vulnerability (CVE-2021-44228, also known as Log4Shell) was eventually unsuccessful.

It is advised that enterprises install the most recent updates, keep an eye out for any illegal use of remote access software, and remove any unneeded accounts and groups in order to stop misuse of the security holes given the ongoing exploitation of them.

(Score: 53) - 4/5