The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about multiple nation-state actors exploiting security vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus. These actors are gaining unauthorized access to compromised systems and establishing persistence.

Ny fanairana, izay niara-navoakan'ny CISA, ny Birao Federaly misahana ny Fanadihadiana (FBI), ary ny Cyber ​​National Mission Force (CNMF), dia milaza fa nanararaotra ny CVE-2022-47966 ireo mpisehatra fandrahonana maharitra maharitra (APT). Ity vulnerability ity dia mamela ny fidirana tsy nahazoana alalana amin'ny Zoho ManageEngine ServiceDesk Plus, izay mitarika amin'ny fametrahana fikirizana sy hetsika lateral amin'ny alàlan'ny tambajotra.

Na dia tsy nambara aza ny mombamomba ireo vondrona fandrahonana voarohirohy, ny US Cyber ​​Command (USCYBERCOM) dia nanolo-kevitra ny mety ho fandraisan'ny ekipam-pirenena Iraniana.

These findings are based on an incident response engagement conducted by CISA at an unnamed aeronautical sector organization from February to April 2023. The malicious activity is believed to have started as early as January 18, 2023.

Ny vulnerability CVE-2022-47966 dia manondro lesoka manara-penitra izay ahafahan'ny famonoana kaody lavitra, mamela ireo mpanafika tsy voamarina handray tanteraka ireo tranga marefo.

Once the attackers successfully exploited the vulnerability, they gained root-level access to the web server. They then proceeded to download additional malware, enumerate the network, collect administrative user credentials, and move laterally within the network.

Tsy mbola fantatra kosa raha nisy nangalatra ny mombamomba ny tompon’andraikitra vokatry ireny fanafihana ireny.

Nopotehina ihany koa ilay fikambanana resahina tamin'ny fampiasana vector fidirana voalohany faharoa, izay nahitana fitrandrahana CVE-2022-42475, bibikely mahery vaika ao amin'ny Fortinet FortiOS SSL-VPN, mba hidirana amin'ny firewall.

CISA dia nanambara fa ireo mpanafika dia nandefitra sy nampiasa ny fahazoan-dàlana ara-dalàna ara-dalàna amin'ny kaonty administratif avy amin'ny mpandraharaha nokaramaina teo aloha. Nohamafisina fa efa kilemaina ilay mpampiasa talohan'ny nitrangan'ny hetsika ratsy hita.

The attackers were observed initiating multiple Transport Layer Security (TLS)-encrypted sessions to different IP addresses, indicating data transfer from the compromised firewall device. They also leveraged valid credentials to move from the firewall to a web server and deploy web shells for backdoor access.

In both instances, the threat actors disabled administrative account credentials and deleted logs from critical servers to cover their tracks and erase evidence of their activities.

During the attacks, the anydesk.exe executable was observed on three hosts between early February and mid-March 2023. The threat actors compromised one host and then moved laterally to install the executable on the other two.

Ny fomba fametrahana AnyDesk amin'ny milina tsirairay dia tsy fantatra amin'izao fotoana izao. Nampiasa ny mpanjifa ConnectWise ScreenConnect ara-dalàna ihany koa ireo mpisehatra mba hisintonana sy hampandehanana ny fitaovana fanariana fahazoan-dàlana Mimikatz.

Ireo mpanafika dia nanandrana nanararaotra ny vulnerability Apache Log4j (CVE-2021-44228 na Log4Shell) ao amin'ny rafitra ServiceDesk ho an'ny fidirana voalohany saingy tsy nahomby.

To protect against these ongoing attacks, organizations are advised to apply the latest updates, monitor for unauthorized use of remote access software, and eliminate unnecessary accounts and groups to prevent their exploitation.

Loharano: [Anaran'ny loharano] (Tsy misy URL)