The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning on Thursday, highlighting the active exploitation of security vulnerabilities within Fortinet FortiOS SSL-VPN and Zoho Manageengine Servicedesk Plus by multiple nation-state actors. These actors have been utilizing these vulnerabilities to gain unauthorized access to systems and establish a persistent presence.
CISA, in collaboration with the Federal Bureau of Investigation (FBI) and Cyber National Mission Force (CNMF), revealed that the nation-state advanced persistent threat (APT) actors leveraged CVE-2022-47966 to breach a public-facing application, Zoho ManageEngine ServiceDesk Plus.
They not only gained unauthorized access but also maintained persistence within the compromised network. The joint alert, however, did not disclose the identities of the threat groups responsible, although there were hints of potential Iranian nation-state involvement.
The incidents under scrutiny occurred during an incident response engagement conducted by CISA within an unnamed aeronautical sector organization, spanning from February to April 2023. Evidence suggests that the malicious activity began as early as January 18, 2023.
CVE-2022-47966, the critical remote code execution vulnerability exploited, allows an unauthenticated attacker to assume full control over vulnerable instances. Once successfully exploited, the threat actors achieved root-level access to the web server.
They proceeded to download additional malware, perform network enumeration, acquire administrative user credentials, and move laterally within the network. It remains uncertain whether any proprietary data was exfiltrated.
Another initial access vector employed involved the exploitation of CVE-2022-42475, a severe bug within Fortinet FortiOS SSL-VPN, granting access to the firewall. CISA noted that the Apt Actors Compromised and misused disabled but legitimate administrative account credentials belonging to a previously contracted individual. The organization confirmed that this user had been disabled before the observed malicious activity.
In an attempt to obscure their tracks, the attackers initiated multiple Transport Layer Security (TLS)-encrypted sessions to various IP addresses, indicating data transfers from the firewall device. They also utilized valid credentials to transition from the firewall to a web server, deploying web shells for establishing backdoor access. Administrative account credentials were deactivated, and logs were deleted from critical servers, effectively erasing forensic evidence of their actions.
During the period between early February and mid-March 2023, the presence of ‘anydesk.exe’ was identified on three hosts. The APT actors compromised one host and extended their control to install the executable on the remaining two. The method by which AnyDesk was installed on these machines remains unknown.
Furthermore, the attackers employed the ConnectWise ScreenConnect client, a legitimate tool, to download and execute the credential dumping utility Mimikatz. Attempts to exploit a known Apache Log4j vulnerability (CVE-2021-44228 or Log4Shell) in the ServiceDesk system for initial access were unsuccessful.
Given the ongoing exploitation of these vulnerabilities, organizations are strongly advised to apply the latest updates, closely monitor the use of remote access software, and eliminate unnecessary accounts and groups to prevent potential abuse.
