Security News > 2023 > September > Iranian hackers breach US aviation org via ManageEngine, Fortinet bugs
State-backed hacking groups have breached a U.S. aeronautical organization using exploits targeting critical Zoho ManageEngine and Fortinet vulnerabilities, a joint advisory published by CISA, the FBI, and the United States Cyber Command revealed on Thursday.
CISA was part of the incident response between February and April and said the hacking groups had been in the compromised aviation organization's network since at least January after hacking an Internet-exposed server running Zoho ManageEngine ServiceDesk Plus and a Fortinet firewall.
CISA ordered federal agencies to secure their systems against CVE-2022-47966 exploits in January, days after threat actors started targeting unpatched ManageEngine instances exposed online to open reverse shells after proof-of-concept exploit code was released online.
Months after CISA's warning, the North Korean Lazarus hacking group also started exploiting the Zoho ManageEngine flaw, successfully breaching healthcare organizations and an internet backbone infrastructure provider.
The CVE-2022-42475 FortiOS SSL-VPN vulnerability was also exploited as a zero-day in attacks against government organizations and related targets, as Fortinet disclosed in January.
CISA issues new warning on actively exploited Ivanti MobileIron bugs.
News URL
Related news
- Hackers breach US firm over Wi-Fi from Russia in 'Nearest Neighbor Attack' (source)
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)
- US lawmakers seek answers on alleged Salt Typhoon breach of telecom giants (source)
- Iranian hackers now exploit Windows flaw to elevate privileges (source)
- USDoD hacker behind National Public Data breach arrested in Brazil (source)
- Iranian hackers act as brokers selling critical infrastructure access (source)
- US says Chinese hackers breached multiple telecom providers (source)
- Schneider Electric confirms dev platform breach after hacker steals data (source)
- Nokia investigates breach after hacker claims to steal source code (source)
- US warns of last-minute Iranian and Russian election influence ops (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-18 | CVE-2022-47966 | Unspecified vulnerability in Zohocorp products Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. | 9.8 |
| 2023-01-02 | CVE-2022-42475 | Out-of-bounds Write vulnerability in Fortinet Fortios A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. | 9.8 |