Multiple nation-state hacking groups are actively exploiting known vulnerabilities in Zoho ManageEngine software and Fortinet firewalls, despite patches being available, according to cybersecurity officials. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert detailing how these vulnerabilities are being exploited. The agency conducted an investigation from February to April at an undisclosed aeronautical organization, where it found that multiple APT (Advanced Persistent Threat) groups had exploited critical flaws to gain unauthorized access and exfiltrate data.
The identified vulnerabilities, CVE-2022-47966 in Zoho ManageEngine and CVE-2022-42475 in Fortinet FortiOS SSL VPN, are classified as critical, as they can be remotely exploited to execute code and take control of a system. Both Zoho and Fortinet had released updates patching the vulnerabilities in late 2022. These vulnerabilities are referred to as N-day vulnerabilities, as patches are available for the known flaws, unlike zero-day vulnerabilities that have no available patches.
The alert, issued by CISA, the FBI, and U.S. Cyber Command’s Cyber National Mission Force, provides details on how attackers have used these vulnerabilities to gain wider access to victims’ networks. However, it does not explicitly state the nation or nations associated with the APT groups exploiting these flaws. Previous private sector reporting has linked Chinese, Iranian, and North Korean hackers to the exploitation of these vulnerabilities.
Zoho ManageEngine’s vulnerability, CVE-2022-47966, was first alerted by the vendor in October, warning of an unauthenticated remote code execution vulnerability. The vendor issued patches in October and November for affected products. Attackers exploited this vulnerability on January 20 at the aeronautical organization, gaining root-level access to the firm’s web server hosting Zoho ManageEngine ServiceDesk Plus. From there, they proceeded to download malware, explore the network, steal administrator credentials using Mimikatz, install Metasploit, and establish remote desktop protocol connections.
While it was uncertain if proprietary information was accessed, altered, or exfiltrated, Microsoft reported that Iranian hackers initiated attacks targeting the vulnerability on the same day that proof-of-concept code was released. Microsoft traced some of the attacks to a group called Mint Sandstorm, also known as APT42, Cobalt Illusion, and TA453, believed to include the participation of the Islamic Revolutionary Guard Corps.
The exploitation of the Zoho ManageEngine vulnerability continues, with Cisco Talos recently detailing an espionage campaign attributed to North Korea’s Lazarus Group. The campaign utilized the ManageEngine vulnerability to deploy a Trojan called QuiteRAT, targeting U.S. and European internet backbone infrastructure and healthcare entities.
The Fortinet vulnerability, CVE-2022-42475, allows attackers to remotely execute code or commands. The aeronautical organization targeted in the investigation fell victim to a separate attack exploiting this vulnerability. Attackers gained access to the organization’s Fortinet firewall, making multiple VPN connections from known-malicious IP addresses. Attackers also used credentials for a disabled administrator account previously assigned to a former contractor, which the organization confirmed had been disabled before the observed activity. Attackers reactivated the account and deleted logs from multiple servers, making it difficult to detect further exploitation or data exfiltration.
Google’s Mandiant incident response division previously reported attacks targeting this Fortinet vulnerability, suspecting the involvement of a Chinese hacking group. The incident mirrored China’s pattern of exploiting internet-facing devices, particularly those used for managed security purposes.
These recent incidents highlight the importance of timely patching in order to prevent exploitation of known vulnerabilities. The U.S. and its Five Eyes intelligence partners have issued joint security advisories warning about the top vulnerabilities exploited by criminals and APT groups. Among these vulnerabilities are the Zoho ManageEngine improper authentication flaw (CVE-2021-40539) and the Fortinet SSL VPN path traversal flaw (CVE-2018-13379). Attackers continue to exploit these flaws due to organizations’ failure to patch software promptly, leaving them vulnerable to cyber attacks.