A US aviation organization was compromised by Iranian-backed hackers who exploited vulnerabilities in Zoho and Fortinet products, according to a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the United States Cyber Command (USCYBERCOM) on Thursday.
How the hackers breached the network
The hackers gained access to the network by exploiting an internet-exposed server running Zoho ManageEngine ServiceDesk Plus and a Fortinet firewall. The Zoho vulnerability (CVE-2022-47966) was a zero-day flaw that allowed remote code execution on unpatched servers. The Fortinet vulnerability (CVE-2022-42475) was a path traversal bug that enabled attackers to download system files from vulnerable devices.
CISA, FBI, and CNMF confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network, the advisory stated.
The threat groups involved have not been identified, but a press release from USCYBERCOM has linked the malicious actors to Iranian exploitation efforts.
How long the hackers stayed in the network
CISA was involved in the incident response between February and April and stated that the hacking groups had infiltrated the aviation organization’s network since at least January. The hackers maintained persistence on hacked network infrastructure components, which could be used for lateral movement within the victims’ networks, as malicious infrastructure, or both.
The advisory did not disclose the name of the aviation organization or the impact of the breach on its operations. However, it warned that given Iran’s past cyber and military attacks against shipping and maritime targets, Microsoft believes this activity increases the risk to companies in these sectors.
How to prevent and mitigate such attacks
The advisory recommended network defenders to apply the mitigations shared in the document and follow the National Security Agency’s best practices for securing infrastructure. These practices include:
- Securing all systems against all known exploited vulnerabilities
- Monitoring for unauthorized use of remote access software
- Removing unnecessary accounts and groups, especially privileged accounts
- Implementing multi-factor authentication
- Enabling logging and auditing capabilities
- Segmenting networks to limit lateral movement
The advisory also urged organizations to report any suspicious or malicious activity to CISA or FBI.
Both Zoho and Fortinet have released patches for their respective vulnerabilities. Zoho issued a fix for CVE-2022-47966 in January, while Fortinet addressed CVE-2022-42475 in May 2021.
This is not the first time that Iranian hackers have targeted critical infrastructure using Zoho and Fortinet flaws. In January, CISA directed federal agencies to secure their systems against CVE-2022-47966 exploits, just days after threat actors began targeting unpatched ManageEngine instances exposed online. The North Korean Lazarus hacking group also exploited the Zoho flaw to breach healthcare organizations and an internet backbone infrastructure provider.
The CVE-2022-42475 FortiOS SSL-VPN vulnerability was also exploited as a zero-day in attacks against government organizations and related targets, as Fortinet disclosed in January. Fortinet also warned that additional malicious payloads were downloaded onto the compromised devices during the attacks, payloads that could not be retrieved for analysis.