An aeronautical organization in the US has fallen victim to an attack by state-sponsored threat actors. Exploiting known vulnerabilities in Zoho ManageEngine software and Fortinet firewalls, the attackers successfully gained unauthorized access to the organization’s network.
While the exact name of the organization has not been disclosed, a statement from US Cyber Command revealed that the attack highlighted “Iranian exploitation efforts.” Furthermore, the organization was targeted by multiple nation-states, indicating the severity and complexity of the attack.
The sophisticated attack involved the exploitation of the CVE-2022-47966 remote code execution (RCE) vulnerability in ManageEngine software. By leveraging this flaw, the threat actors were able to gain entry through the organization’s public-facing application. Once inside the network, they established persistence and moved laterally to expand their reach.
Authorities had previously issued warnings about the CVE-2022-47966 vulnerability in January, emphasizing the importance of patching affected ManageEngine products. Any product that had single sign-on enabled was potentially at risk.
In addition to the ManageEngine vulnerability, the attackers also took advantage of the CVE-2022-42475 vulnerability to infiltrate the organization’s Fortinet firewall device. This bug, discovered as a zero-day vulnerability in January, is a heap-based buffer overflow vulnerability in FortiOS SSL-VPN. Exploiting this vulnerability, remote attackers can execute arbitrary code or commands by sending specially crafted requests.
Following the incident, the Cyber National Mission Force urged organizations to review and implement recommended mitigation strategies. This includes adopting the cross-sector cybersecurity performance goals outlined by the Cybersecurity and Infrastructure Security Agency (CISA), as well as following the National Security Agency’s (NSA) best practices for securing remotely accessible software.
This attack is not the first time Iranian APTs have targeted the interests of the US federal government. Last year, an Iranian government-sponsored group exploited the Log4Shell vulnerability to breach the US Federal Civilian Executive Branch systems and implant malware.
The incident serves as a reminder of the persistent threat posed by state-sponsored actors. It underscores the importance for organizations, especially those operating in critical sectors such as aviation, to remain vigilant and proactive in implementing robust cybersecurity measures. Regular patching and updating of software and systems, along with the adoption of recommended best practices, can significantly reduce the risk of falling victim to such attacks.
In light of this attack, it is crucial for organizations to prioritize cybersecurity and stay informed about the latest threats, vulnerabilities, and emerging trends. Regularly reviewing and implementing mitigation strategies, as well as staying up-to-date with cybersecurity industry news, can help organizations protect themselves against these evolving threats.