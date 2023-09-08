城市生活

Multiple Nation-State Actors Exploiting Flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus, Warns CISA

8 年 2023 月 XNUMX 日
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about multiple nation-state actors exploiting security vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus. These actors are gaining unauthorized access to compromised systems and establishing persistence.

The alert, which was jointly published by CISA, the Federal Bureau of Investigation (FBI), and the Cyber National Mission Force (CNMF), states that nation-state advanced persistent threat (APT) actors have been exploiting CVE-2022-47966. This vulnerability allows unauthorized access to Zoho ManageEngine ServiceDesk Plus, leading to the establishment of persistence and lateral movement through networks.

Although the identities of the threat groups involved have not been disclosed, the U.S. Cyber Command (USCYBERCOM) has suggested the possible involvement of Iranian nation-state crews.

These findings are based on an incident response engagement conducted by CISA at an unnamed aeronautical sector organization from February to April 2023. The malicious activity is believed to have started as early as January 18, 2023.

The CVE-2022-47966 vulnerability refers to a critical flaw that enables remote code execution, allowing unauthenticated attackers to completely take over vulnerable instances.

Once the attackers successfully exploited the vulnerability, they gained root-level access to the web server. They then proceeded to download additional malware, enumerate the network, collect administrative user credentials, and move laterally within the network.

It is not yet known if any proprietary information was stolen as a result of these attacks.

The organization in question was also breached using a second initial access vector, which involved exploiting CVE-2022-42475, a severe bug in Fortinet FortiOS SSL-VPN, in order to access the firewall.

CISA has stated that the attackers compromised and used disabled legitimate administrative account credentials from a previously hired contractor. It was confirmed that the user had been disabled before the observed malicious activity occurred.

The attackers were observed initiating multiple Transport Layer Security (TLS)-encrypted sessions to different IP addresses, indicating data transfer from the compromised firewall device. They also leveraged valid credentials to move from the firewall to a web server and deploy web shells for backdoor access.

In both instances, the threat actors disabled administrative account credentials and deleted logs from critical servers to cover their tracks and erase evidence of their activities.

During the attacks, the anydesk.exe executable was observed on three hosts between early February and mid-March 2023. The threat actors compromised one host and then moved laterally to install the executable on the other two.

The method of installing AnyDesk on each machine is currently unknown. The actors also used the legitimate ConnectWise ScreenConnect client to download and run the credential dumping tool Mimikatz.

The attackers attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228 or Log4Shell) in the ServiceDesk system for initial access but were unsuccessful.

To protect against these ongoing attacks, organizations are advised to apply the latest updates, monitor for unauthorized use of remote access software, and eliminate unnecessary accounts and groups to prevent their exploitation.

By 薇琪斯塔夫羅普盧

