A joint advisory released by the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and US Cyber Command’s Cyber National Mission Force (CNMF) has revealed that several nation-state actors exploited two vulnerabilities to target an organization in the aeronautical sector. The advisory, which was released yesterday, sheds light on the threat activity and provides recommendations for detection and risk mitigation.
The threat actors gained access to the organization through two vulnerabilities – CVE-2022-47966 in Zoho ManageEngine ServiceDesk Plus and CVE-2022-42475 in FortiOS SSL-VPN. Both of these vulnerabilities have had available patches since earlier this year. The joint advisory stresses the importance of applying patches and updates promptly to protect against such exploits.
The advisory highlights that the threat actors, who remain unidentified, employ similar tactics, techniques, and procedures (TTPs), indicating a possible connection between their activities. It is unclear whether these multiple advanced persistent threat (APT) actors are associated with different nation-states or are different agencies of the same state. The joint advisory does not provide any explicit attribution of the threat actors involved.
However, based on previous incidents, it is speculated that Iran and North Korea may be likely candidates. Both countries have previously targeted the Zoho vulnerability. The Lazarus Group, believed to have ties to North Korea, utilized the Zoho ManageEngine ServiceDesk vulnerability in attacks against infrastructure providers and healthcare organizations earlier this year. This was reported by Cisco’s Talos researchers last month. Similarly, Iran’s involvement in exploiting the vulnerability has been suggested by multiple sources. Microsoft Security researchers discovered Iran’s Mint Sandstorm (also known as PHOSPHORUS, APT35, APT42, Charming Kitten, and TA453) exploiting the vulnerability back in April.
The joint advisory serves as a reminder of the ongoing interest of these nation-state actors in targeting internet-facing devices like firewalls and virtual private networks (VPNs). These critical edge network infrastructures continue to be attractive targets for malicious cyber actors due to potential vulnerabilities that can be easily exploited.
It is crucial for organizations operating in critical sectors to take note of this joint advisory and implement the recommended measures for detection and risk mitigation. Regularly updating and patching software vulnerabilities, along with employing strong cybersecurity measures, can significantly reduce the risk of successful cyberattacks.
In conclusion, the joint advisory issued by CISA, FBI, and CNMF highlights the exploitation of two vulnerabilities by nation-state actors targeting a company in the aeronautical sector. Although the advisory does not explicitly name the threat actors involved, previous incidents point to Iran and North Korea as potential suspects. The advisory underlines the importance of promptly applying patches and updates, while also emphasizing the need for heightened vigilance and robust cybersecurity practices to defend against such attacks. Organizations are urged to take the necessary actions outlined in the advisory to safeguard their networks and systems from hostile nation-state activity.