Iranian Hackers Breach US Aviation Organization via Zoho, Fortinet Bugs

Cyber Security Threat Summary:
State-backed hacking groups have breached a U.S. aeronautical organization using exploits targeting critical Zoho and Fortinet vulnerabilities, a joint advisory published by CISA, the FBI, and the United States Cyber Command (USCYBERCOM) revealed on Thursday” (Bleeping Computer, 2023).

The agencies have yet to attribute the activity to a specific threat group, but noted the malicious activity was related to Iranian exploitation efforts. CISA has been involved in the compromised aviation organization’s incident response, which occurred between February and April of this year. The compromise was the result of an Internet-exposed server running Zoho ManageEngine ServiceDesk Plus and a Fortinet firewall.

"CISA, FBI, and CNMF confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network," reads the advisory. "This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization's firewall device."

Security Officer Comments:
In their joint advisory, the three U.S. agencies warn about the continued danger of threat groups scanning for known vulnerabilities in Internet-facing devices. Unpatched devices may contain critical vulnerabilities that are easy to exploit once found. Organizations are urged to patch systems as soon as updates are available.

In the case of advanced persistent groups, after infiltrating a target’s network, they will often maintain persistence on a network using the compromised devices to move laterally to more sensitive areas, download additional payloads, and exfiltrate data to a attacker controlled server.

“CISA ordered federal agencies to secure their systems against CVE-2022-47966 exploits in January, days after threat actors started targeting unpatched ManageEngine instances exposed online to open reverse shells after proof-of-concept (PoC) exploit code was released online. Months after CISA's warning, the North Korean Lazarus hacking group also started exploiting the Zoho flaw, successfully breaching healthcare organizations and an internet backbone infrastructure provider” (Bleeping Computer, 2023).

The FBI and CISA have both issued multiple alerts related to state sponsored groups targeting ManageEngine flaws to target critical infrastructure. The CVE-2022-42475 FortiOS SSL-VPN vulnerability was also exploited as a zero-day in attacks against government organizations and related targets, as Fortinet disclosed in January. Fortinet also cautioned that additional malicious payloads were downloaded onto the compromised devices during the attacks, payloads that could not be retrieved for analysis.

Suggested Correction(s):
Network defenders are advised to apply mitigations shared within today's advisory and NSA-recommended best practices for securing infrastructure. They include but are not limited to securing all systems against all known exploited vulnerabilities, monitoring for unauthorized use of remote access software, and removing unnecessary (disabled) accounts and groups (especially privileged accounts).