Image: Midjourney

State-backed hacking groups have breached a U.S. aeronautical organization using exploits targeting critical Zoho and Fortinet vulnerabilities, a joint advisory published by CISA, the FBI, and the United States Cyber Command (USCYBERCOM) revealed on Thursday.

The threat groups behind this breach are yet to be named, but while the joint advisory didn’t connect the attackers to a specific state, USCYBERCOM’s press release links the malicious actors to Iranian exploitation efforts.

CISA was part of the incident response between February and April and said the hacking groups had been in the compromised aviation organization’s network since at least January after hacking an Internet-exposed server running Zoho ManageEngine ServiceDesk Plus and a Fortinet firewall.

“CISA, FBI, and CNMF confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network,” reads the advisory.

“This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.”

As the three U.S. agencies warn, these threat groups frequently scan for vulnerabilities on Internet-facing devices unpatched against critical and easy-to-exploit security bugs.

After infiltrating a target’s network, the attackers will maintain persistence on hacked network infrastructure components. These network devices will likely be used as stepping stones for lateral movement within the victims’ networks, as malicious infrastructure, or a combination of both.

Network defenders are advised to apply mitigations shared within today’s advisory and NSA-recommended best practices for securing infrastructure.

They include but are not limited to securing all systems against all known exploited vulnerabilities, monitoring for unauthorized use of remote access software, and removing unnecessary (disabled) accounts and groups (especially privileged accounts).

Previous attacks and warnings to secure systems

CISA ordered federal agencies to secure their systems against CVE-2022-47966 exploits in January, days after threat actors started targeting unpatched ManageEngine instances exposed online to open reverse shells after proof-of-concept (PoC) exploit code was released online.

Months after CISA’s warning, the North Korean Lazarus hacking group also started exploiting the Zoho flaw, successfully breaching healthcare organizations and an internet backbone infrastructure provider.

The FBI and CISA issued multiple other alerts (1, 2) regarding state-backed groups exploiting ManageEngine flaws to target critical infrastructure, including financial services and healthcare.

The CVE-2022-42475 FortiOS SSL-VPN vulnerability was also exploited as a zero-day in attacks against government organizations and related targets, as Fortinet disclosed in January.

Fortinet also cautioned that additional malicious payloads were downloaded onto the compromised devices during the attacks, payloads that could not be retrieved for analysis.

Customers were first urged to patch their appliances against ongoing attacks in mid-December after Fortinet quietly fixed the bug on November 28 without releasing information that it was already being exploited in the wild.