Summary

• A US aeronautical organization was breached by Iranian hackers using exploits targeting critical Zoho and Fortinet vulnerabilities.
• The hackers gained unauthorized access to a public-facing application, established persistence, and moved laterally through the network.
• The hackers also compromised and used disabled administrative account credentials from a previously hired contractor.
• The attackers used sophisticated obfuscation techniques to hide and protect their malicious programs and web shells.
• The identity of the threat groups behind the attacks has not been disclosed, although the US Cyber Command hinted at the involvement of Iranian nation-state crews.

Background

The US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on September 8, 2023, warning that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems.

The advisory was based on an incident response engagement conducted by CISA at an unnamed aeronautical sector organization from February to April 2023. There is evidence to suggest that the malicious activity commenced as early as January 18, 2023.

The vulnerabilities exploited by the threat actors are:

• CVE-2022-47966: A critical remote code execution flaw in Zoho ManageEngine ServiceDesk Plus that allows an unauthenticated attacker to completely take over susceptible instances. This vulnerability was patched in waves starting on October 27, 2022, with the last product receiving a patch on November 7, 2022.
• CVE-2022-42475: A severe bug in Fortinet FortiOS SSL-VPN that allows an attacker to access the firewall device by exploiting valid credentials. This vulnerability was patched on October 6, 2022.

The advisory also revealed that the threat actors compromised and used disabled administrative account credentials from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.

Attack Chain

According to CISA, the following steps were taken by the threat actors after gaining initial access:

1. The attackers obtained root-level access to the web server and downloaded additional malware.
2. The attackers enumerated the network and collected administrative user credentials.
3. The attackers moved laterally through the network using multiple Transport Layer Security (TLS)-encrypted sessions to multiple IP addresses.
4. The attackers deployed web shells for backdoor access on several critical servers in the environment.
5. The attackers disabled administrative account credentials and deleted logs from several critical servers in an attempt to erase the forensic trail of their activities.

Impact

The breach could have potentially exposed sensitive data such as flight plans, weather forecasts, air traffic control information, aviation safety data, and other aviation-related information. It could also have disrupted or compromised flight operations or safety.

CISA advised affected organizations to apply patches as soon as possible, disable or remove any untrusted software or devices, monitor network activity for any signs of compromise or intrusion attempts, and report any suspicious incidents or indicators of compromise.

References

¹: CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities
²: Update Regarding CVE-2022-40684 | Fortinet Blog
³: What Is Vulnerability Assessment? How is it Conducted? | Fortinet
⁴: Fortinet’s security appliances hit by remote code execution vulnerability
⁵: 336,000 servers remain unpatched against critical Fortigate vulnerability
⁶: Red Cross traces hack back to unpatched Zoho vulnerability
⁷: Update now! Proof of concept code to be released for Zoho ManageEngine …
⁸: Hackers exploiting vulnerability affecting Zoho ManageEngine products …
⁹: [Oh No, Zoho: Active Exploitation of CVE-2021-44077 Allowing … – Rapid7]