Multiple Nation-State Hacking Groups Actively Exploiting Known Vulnerabilities
Multiple nation-state hacking groups have been exploiting known flaws in Zoho ManageEngine software and Fortinet firewalls for which patches are available, cybersecurity officials warn.
In a new alert, the U.S. Cybersecurity and Infrastructure Security Agency includes details of how both vulnerabilities are being exploited, via an investigation it conducted from February through April at an unnamed organization in the aeronautical sector.
CISA found that beginning in January, multiple APT groups separately exploited two different critical vulnerabilities to gain unauthorized access and exfiltrate data from the organization.
Both of the unrelated flaws – CVE-2022-47966 in Zoho ManageEngine and CVE-2022-42475 in Fortinet FortiOS SSL VPN – have been classified as being of critical severity, meaning they can be exploited to remotely execute code, allowing attackers to take control of the system and pivot to other parts of the network. Each of the vendors issued updates patching their flaws in late 2022. Researchers refer to these as N-day vulnerabilities, meaning known flaws, as opposed to zero-day vulnerability for which no patch is yet available.
The alert, issued by CISA, the FBI and U.S. Cyber Command’s Cyber National Mission Force, includes details of how attackers used each of the flaws to gain wider access to victims’ networks. The advisory doesn’t state which nation or nations’ APT groups have been tied to known exploits of these flaws. Private sector reporting has previously tied hackers aligned with China, Iran and North Korea to known exploits of these vulnerabilities.
Target: Zoho ManageEngine
Last October, Zoho warned that multiple ManageEngine OnPremise products, including such IT management tools as ServiceDesk Plus and Vulnerability Manager Plus, have an “unauthenticated remote code execution vulnerability” – CVE-2022-47966 – due to the use of “an outdated third party dependency” involving Apache Santuario. The vendor issued patches for affected products last October and November. Proof-of-concept code for exploiting the flaw appeared on Jan. 19.
In the case of the hacked aeronautical firm, the report from CISA and other U.S. government investigators says attackers exploited the vulnerability on Jan. 20 to gain root-level access to the firm’s web server hosting the public-facing Zoho ManageEngine ServiceDesk Plus application. From there, attackers downloaded further malware, explored the network, used Mimikatz to steal administrator credentials, installed a variant of Metasploit called Meterpreter, added persistence via SSH, launched remote desktop protocol connections and more.
Government investigators “were unable to determine if proprietary information was accessed, altered or exfiltrated,” the report said. “This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage.”
While the report doesn’t attribute the attack, Microsoft has reported that Iranian hackers began launching attacks targeting the vulnerability the same day that the POC code was released. The technology giant traced some of those attacks to a group it’s codenamed Mint Sandstorm, which includes the participation of the Islamic Revolutionary Guard Corps, and which is also known as APT42, Cobalt Illusion and TA453.
“Patching this vulnerability is useful beyond this specific campaign as several adversaries are exploiting CVE-2022-47966 for initial access,” Microsoft reported at the time.
Attackers have continued to abuse the flaw. Last month, Cisco Talos detailed an espionage campaign, which appeared to trace to North Korea’s Lazarus Group, that targeted the Zoho ManageEngine vulnerability to deploy a Trojan called QuiteRAT. Cisco Talos said the campaign began in May and appeared to focus on hitting U.S. and European internet backbone infrastructure and healthcare entities.
Target: Fortinet FortiOS
The aeronautical firm also fell victim to an attack – launched by a different group to the one that exploited its Zoho ManageEngine software – that gained access to its Fortinet firewall, CISA reported.
The exploited CVE-2022-42475 vulnerability in FortiOS SSL VPN devices is a “heap-based buffer overflow vulnerability” attackers can use to remotely execute code or commands, Fortinet reported when releasing patches for the flaw on Dec. 12, 2022. At that time, it said the vulnerability was already being actively exploited in the wild.
The aeronautical firm’s hacker used the flaw to access to the organization’s firewall, then made multiple VPN connections from known-malicious IP addresses, CISA said. Attackers also used legitimate credentials for a disabled administrator account previously assigned to a former contractor, investigators found.
“The organization confirmed the user had been disabled prior to the observed activity,” they reported, noting that attackers reactivated the account and also deleted logs from multiple servers. “This prevented the ability to detect follow-on exploitation or data exfiltration,” which was exacerbated by the organization having failed to enable Network Address Translation IP logging, they said. Keeping NAT IP logs helps investigators trace how packets flow from external IP addresses and ports to internal clients.
As with the Zoho vulnerability exploitation, the report doesn’t attribute the attack to any given APT group. Multiple groups may be targeting this flaw.
Last January, Google’s Mandiant incident-response division reported seeing attacks targeting the vulnerability in Fortinet’s FortiOS SSL-VPN that it suspected traced to a Chinese hacking group. “The incident continues China’s pattern of exploiting internet facing devices, specifically those used for managed security purposes,” including firewalls, intrusion prevention and detection systems and more, Mandiant reported.
“Evidence suggests the exploitation was occurring as early as October 2022,” Mandiant added, noting that “identified targets include a European government entity and a managed service provider located in Africa.”
This isn’t the first time attackers have targeted vulnerabilities for which patches are available in Zoho ManageEngine and Fortinet SSL VPN products. Last month, the U.S. and its Five Eyes intelligence partners – Australia, Canada, New Zealand and the U.K. – issued a joint security advisory detailing the 12 vulnerabilities criminals and APT groups most often exploited in 2022 (see: Patching Conundrum: 5-Year-Old Flaw Again Tops Most-Hit List).
One of those is an improper authentication flaw in Zoho ManageEngine, designated CVE-2021-40539, which the vendor patched in September 2021.
Another one of the top 12 vulnerabilities is a path traversal flaw in Fortinet SSL VPN, designated CVE-2018-13379, which the vendor patched in May 2019.
Four years later, officials warned, attackers are continuing to abuse the FortiOS flaw to gain easy access to corporate networks. “The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors,” the advisory said.