Earlier this year, APT actors exploited known Zoho and Fortinet vulnerabilities to compromise an organization in the aeronautical sector, before downloading malware, stealing credentials and moving laterally on the network.
Threat actors targeted a public-facing Zoho ManageEngine ServiceDesk Plus application that was vulnerable to a remote code execution flaw (CVE-2022-47966), and a firewall device on the organization vulnerable to a remotely exploitable heap overflow bug (CVE-2022-42475). CISA, which outlined the attack in a joint advisory released with the FBI and Cyber National Mission Force, said it was initially contacted by the impacted, unnamed organization and conducted incident response from February to April 2023. Evidence of the attack started as early as January 2023, according to CISA.
“CISA and co-sealers identified an array of threat actor activity, to include overlapping TTPs across multiple APT actors,” according to CISA on Thursday. “Per the activity conducted, APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited. Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors. When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both.”
After exploiting CVE-2022-47966, APT actors gained root level access on the web server, and then created a local user account with administrative privileges. They then downloaded the Meterpreter malware, stole administrative user credentials and moved laterally through the network. However, CISA said it could not determine if proprietary information was accessed, altered, or exfiltrated, “due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage.”
“CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled."
After additional APT attackers exploited CVE-2022-42475, meanwhile, they used compromised and disabled, legitimate administrative account credentials - stolen from a previously hired contractor - to delete logs from several critical servers in the environment, blocking defenders from tracking any follow-on exploitation or data exploitation.
“CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled,” said CISA.
CISA detailed the group’s TTPs and IoCs to help other organizations better detect and identify any similar exploitation. The actors used several tools, including Mimikatz for credential theft, ProcDump for conducting reconnaissance and PsExec to create a scheduled task and force-store administrative credentials to the local machine. In addition, they attempted but failed to exploit the known Log4j flaw in the ServiceDesk system.
The advisory highlights the importance of patching, as fixes for both vulnerabilities have been available since last year; Zoho released a patch for CVE-2022-47966 in October and November 2022, while Fortinet issued a fix for CVE-2022-42475 in December 2022. Additionally, multiple alerts have been released over the past year regarding exploitation attempts against both CVE-2022-47966 and CVE-2022-42475.
CISA urged organizations to ensure that all systems are patched for known exploited vulnerabilities in particular, including firewall security appliances. In addition, the agency recommended that entities monitor for unauthorized use of remote access software and remove unnecessary accounts and groups from the enterprise that are no longer needed (particularly privileged accounts).