Security News > 2023 > September > CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency on Thursday warned that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems.
"Nation-state advanced persistent threat actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application, establish persistence, and move laterally through the network," according to a joint alert published by the agency, alongside Federal Bureau of Investigation, and Cyber National Mission Force.
Following the successful exploitation of CVE-2022-47966, the threat actors obtained root-level access to the web server and took steps to download additional malware, enumerate the network, collect administrative user credentials, and move laterally through the network.
The entity in question is also said to have been breached using a second initial access vector that entailed the exploitation of CVE-2022-42475, a severe bug in Fortinet FortiOS SSL-VPN, to access the firewall.
The attackers have also been observed initiating multiple Transport Layer Security-encrypted sessions to multiple IP addresses, indicating data transfer from the firewall device, in addition to leveraging valid credentials to hop from the firewall to a web server and deploy web shells for backdoor access.
What's more, the actors attempted to exploit a known Apache Log4j vulnerability in the ServiceDesk system for initial access but were ultimately unsuccessful.
News URL
https://thehackernews.com/2023/09/cisa-warning-nation-state-hackers.html
Related news
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- FBI, CISA, and NSA reveal most exploited vulnerabilities of 2023 (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables (source)
- Chinese Hackers Exploit T-Mobile and Other U.S. Telecoms in Broader Espionage Campaign (source)
- China-linked group abuses Fortinet 0-day with post-exploit VPN-credential stealer (source)
- Hackers exploit critical bug in Array Networks SSL VPN products (source)
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
- Hackers exploit ProjectSend flaw to backdoor exposed servers (source)
- Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian Entities (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-01-18 | CVE-2022-47966 | Unspecified vulnerability in Zohocorp products Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. | 9.8 |
2023-01-02 | CVE-2022-42475 | Out-of-bounds Write vulnerability in Fortinet Fortios A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. | 9.8 |