Security News > 2023 > September > CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency on Thursday warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems.
"Nation-state advanced persistent threat actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application, establish persistence, and move laterally through the network," according to a joint alert published by the agency, alongside Federal Bureau of Investigation, and Cyber National Mission Force.
Following the successful exploitation of CVE-2022-47966, the threat actors obtained root-level access to the web server and took steps to download additional malware, enumerate the network, collect administrative user credentials, and move laterally through the network.
The entity in question is also said to have been breached using a second initial access vector that entailed the exploitation of CVE-2022-42475, a severe bug in Fortinet FortiOS SSL-VPN, to access the firewall.
The attackers have also been observed initiating multiple Transport Layer Security-encrypted sessions to multiple IP addresses, indicating data transfer from the firewall device, in addition to leveraging valid credentials to hop from the firewall to a web server and deploy web shells for backdoor access.
What's more, the actors attempted to exploit a known Apache Log4j vulnerability in the ServiceDesk system for initial access but were ultimately unsuccessful.
News URL
https://thehackernews.com/2023/09/cisa-warning-nation-state-hackers.html
Related news
- Chinese Hackers Exploit Visual Studio Code in Southeast Asian Cyberattacks (source)
- Hackers targeting WhatsUp Gold with public exploit since August (source)
- Fortinet confirms data breach after hacker claims to steal 440GB of files (source)
- CISA urges software devs to weed out XSS vulnerabilities (source)
- Hackers Exploit Default Credentials in FOUNDATION Software to Breach Construction Firms (source)
- Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware (source)
- CISA: Hackers target industrial systems using “unsophisticated methods” (source)
- CISA says critical Fortinet RCE flaw now exploited in attacks (source)
- CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches (source)
- CISA adds fresh Ivanti vuln, critical Fortinet bug to hall of shame (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-01-18 | CVE-2022-47966 | Unspecified vulnerability in Zohocorp products Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. | 9.8 |
| 2023-01-02 | CVE-2022-42475 | Out-of-bounds Write vulnerability in Fortinet Fortios A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. | 9.8 |