Nation-state threat actors exploit Zoho and Fortinet based vulnerabilities
11 Sep 2023
Organizations in the United States are in a state of panic due to a recent cyber attack orchestrated by multiple nation-state actors. It is a pertinent example of how state-sponsored attacks are becoming more dangerous by targeting critical infrastructure organizations like transport.
As state-sponsored attackers grow in power, both in numbers and cyber attack weapons, their modus operandi keeps evolving. Organizations need to reevaluate their security strategies.
Let us explore how this attack happened and the various tactics/techniques/procedures deployed by cyber attackers.
The first spark lit on January 18, 2023. Since then, cyber attackers have continuously attempted to breach the company’s security. The CISA and the FBI have released a warning with Cyber National Mission Force regarding a group of state-sponsored cyber attackers suspected to be from Iran.
The attackers have engaged in Advanced Persistent Attacks based on the exploitation of the Fortinet FortiOS SSL-VPN and Zoho Manage Engine Service Desk Plus vulnerabilities.
The first attack is when the attackers exploited the CVE 2022 47966 vulnerability in the ZOHO to laterally move across the network to establish the persistence of their attack. This vulnerability refers to the remote code execution that allowed them to take complete control of all the processes and activities.
Once they exploited the said vulnerability, they engaged in gaining root-level access to the web server and downloaded additional malware, then they started collecting administrative user credentials and moved laterally across the network.
The attackers have used multiple compromised accounts from a previous contractor whose credentials were said to be disabled by the company. They used Mimikatz and similar software for credentials.
Their second access vector was a firewall bypass by exploiting the CVE-2022-42475 vulnerability in the Fortinet FortiOS SSL VPN. They engaged in multiple Transport Layer Security encrypted sessions over different IP addresses, transferring data from firewall devices using webshells for backdoor access.
They leveraged valid credentials and hopped from the firewall to the web server. To erase their tracks and prevent getting caught, they erased their logs from all of the critical servers and deleted all of the admin-level credentials that they used to access the network engaging in further exploitation of existent log4 shell vulnerabilities inherent in the infrastructure.
In their attempts to disrupt the operation of the aerospace company and steal all of their sensitive nation-specific data, these attackers deployed persistent attacks that kept impacting the operations of the organization, causing more trouble than expected.
There wasn’t enough information that the CISA could collect as to how much company-specific information has been erased, altered, or published. This is due to the limited sensor coverage by CISA and the lack of centralization of data in the victim organization.
This attack is an alarm call for organizations that are not prioritizing their information security and it points towards the importance of round-the-clock security with continuous monitoring even more.
What is a backdoor attack?
It is any form of cyber attack that, through commonly used techniques, can give high-level access to cyber attackers. It can give them more control and access to orchestrate an attack. A backdoor is also classified as a Trojan.
It is a malicious program that pretends to be a known and trustworthy program for delivering malware. Attackers often use backdoors created as a result of a vulnerability that was left unattended.
Conclusion
Blueshell is a Trojan malware that is being widely used globally by cybercriminals to exploit security vulnerabilities and engage in backdoor cyber-attacks that are intended to inject malware that would steal data, corrupt information, or lock up their information assets.
It is imperative that businesses that have deployed Microsoft Windows, Linux, and Mac OSes at risk of getting exposed to attacks take proactive measures to secure their businesses from the rising threat of this Trojan malware-based attack.
SharkStriker’s Endpoint Detection and Response is made to defend IT infrastructure against such backdoor attacks by providing round-the-clock security against the most sophisticated threats including malware attacks. Through a team of security experts working round the clock, we will help you make the most of all of your existing security investments with the right set of configurations.