Nation-state threat actors exploit Zoho and Fortinet based vulnerabilities 

Nation-state threat actors exploit Zoho and Fortinet based vulnerabilities 

Organizations in the United States are in a state of panic due to a recent cyber attack orchestrated by multiple nation-state actors. It is a pertinent example of how state-sponsored attacks are becoming more dangerous by targeting critical infrastructure organizations like transport.

As state-sponsored attackers grow in power, both in numbers and cyber attack weapons, their modus operandi keeps evolving. Organizations need to reevaluate their security strategies. 

Let us explore how this attack happened and the various tactics/techniques/procedures deployed by cyber attackers.

The first spark lit on January 18, 2023.   Since then, cyber attackers have continuously attempted to breach the company’s security. The CISA and the FBI have released a warning with Cyber National Mission Force regarding a group of state-sponsored cyber attackers suspected to be from Iran.

The attackers have engaged in Advanced Persistent Attacks based on the exploitation of the Fortinet FortiOS SSL-VPN and Zoho Manage Engine Service Desk Plus vulnerabilities.

The first attack is when the attackers exploited the CVE 2022 47966 vulnerability in the ZOHO  to laterally move across the network to establish the persistence of their attack. This vulnerability refers to the remote code execution that allowed them to take complete control of all the processes and activities.

Once they exploited the said vulnerability, they engaged in gaining root-level access to the web server and downloaded additional malware, then they started collecting administrative user credentials and moved laterally across the network.

The attackers have used multiple compromised accounts from a previous contractor whose credentials were said to be disabled by the company. They used Mimikatz and similar software for credentials.

Their second access vector was a firewall bypass by exploiting the CVE-2022-42475 vulnerability in the Fortinet FortiOS SSL VPN. They engaged in multiple Transport Layer Security encrypted sessions over different IP addresses, transferring data from firewall devices using webshells for backdoor access.

They leveraged valid credentials and hopped from the firewall to the web server. To erase their tracks and prevent getting caught, they erased their logs from all of the critical servers and deleted all of the admin-level credentials that they used to access the network engaging in further exploitation of existent log4 shell vulnerabilities inherent in the infrastructure.

In their attempts to disrupt the operation of the aerospace company and steal all of their sensitive nation-specific data, these attackers deployed persistent attacks that kept impacting the operations of the organization, causing more trouble than expected.

There wasn’t enough information that the CISA could collect as to how much company-specific information has been erased, altered, or published. This is due to the limited sensor coverage by CISA and the lack of centralization of data in the victim organization.

This attack is an alarm call for organizations that are not prioritizing their information security and it points towards the importance of round-the-clock security with continuous monitoring even more.

SharkStriker’s recommendations

SharkStriker recommends the following measures against the cyber risks caused by the exploitation of the Zoho and Fortinet-based vulnerabilities:

• Keep all the software patched and updated for known vulnerabilities from time to time.
• Follow a routine patch cycle and remediate the vulnerabilities on all the internet-facing systems. 
• Implement the security best practices recommended by product vendors.
• Use a firewall or web application firewall for network segmentation and blocking malicious traffic.
• Take assistance from experts at SharkStriker who can assist you in implementing best practices in security and round-the-clock security and visibility using solutions like SIEM for your IT infrastructure.