CISA, FBI, CNMF detail multiple nation-state hackers striking aeronautical sector using Zoho ManageEngine vulnerabilities 

U.S. agencies released on Thursday a joint advisory to highlight the presence of indicators of compromise (IOCs) at an aeronautical sector organization as early as January 2023. The document confirms nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. The vulnerability allows for remote code execution (RCE) on the ManageEngine application. 

Additional APT hackers were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device. The advisory also provides network defenders with tactics, techniques, and procedures (TTPs), IOCs, and methods to detect and protect against similar exploitation.

The advisory also revealed that in January the APT actors attempted to exploit a known Apache Log4j vulnerability (CVE-2021-44228) in the ServiceDesk system but were unsuccessful. This vulnerability was detected late 2021 in Apache’s Log4j software library, and rated as ‘severe’ at the time.

“Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF), said in its latest advisory. “This vulnerability allows for remote code execution on the ManageEngine application. Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s firewall device.”

The advisory disclosed that by request of the impacted organization, CISA conducted an incident response engagement from February to April 2023. CISA and co-sealers assess that beginning as early as January 2023, multiple nation-state APT hackers were present on the organization’s network via at least two initial access vectors. It also identified that the APT hackers were able to leverage disabled administrative accounts, and clear logs on several critical servers, which prevented the ability to detect follow-on exploitation or data exfiltration. 

The first initial access vector enabled APT actors to exploit CVE-2022-47966 to access the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. “As early as January 2023, APT actors exploited CVE-2022-47966 for initial access to the organization’s web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. CISA observed indications in log files that a connection to the known malicious IP address 192.142.226[.]153 was made as part of initial exploitation,” the notice disclosed.

“Through exploitation of CVE-2022-47966, APT actors achieved root level access on the web server and created a local user account named Azure with administrative privileges,” according to the advisory. “Actors were further able to download malware, enumerate the network, collect administrative user credentials, and move laterally through the organization’s network. CISA and co-sealers were unable to determine if proprietary information was accessed, altered, or exfiltrated. This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage.”

The cybersecurity advisory revealed that the second initial access vector allowed APT hackers to breach CVE-2022-42475 to access the organization’s firewall device. “CISA and co-sealers identified an array of threat actor activity, to include overlapping TTPs across multiple APT actors. Per the activity conducted, APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited. Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors. When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both,” it added. 

It added that the hackers exploited CVE-2022-42475 on the organization’s firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. “It was identified that APT actors compromised and used disabled, legitimate administrative account credentials from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.”

Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment, according to the advisory.  “This prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled.”

It further identified that APT hackers initiated multiple Transport Layer Security (TLS)-encrypted sessions on Transmission Control Protocol (TCP) port 10443, indicating ‘successful exchanges’ of data transfer from the firewall device. 

The agencies identified that exploitation of CVE-2022-47966 granted initial access to the public-facing application, Zoho ManageEngine ServiceDesk Plus. Multiple Zoho ManageEngine on-premises products, such as ServiceDesk Plus through 14003, allow RCE due to use of version 1.4.1 of Apache XML Security for Java (also known as xmlsec) from the Apache Santuario project. Due to the ‘xmlsec’ XSLT features by design in that version, the application is responsible for certain security protections.

The advisory recommends documenting device configurations; keeping all software up to date and patching systems for known exploited vulnerabilities; following a routine patching cycle for all operating systems, applications, and software (including all third-party software) to mitigate the potential for exploitation. It also prioritizes remediation of vulnerabilities on internet-facing systems, for example, by conducting continuous automated and/or routine vulnerability scans, and deploying security[dot]txt files. 

The agencies also identified that the organization did not employ proper network segmentation, such as a demilitarized zone (DMZ), during the initial discovery phase of the incident response. A DMZ serves as a perimeter network that protects and adds an extra layer of security to an organization’s internal local area network (LAN) from untrusted traffic.

They also recommend using proper network segmentation, such as a DMZ; using a firewall or web-application firewall (WAF) and enabling logging to prevent/detect potential exploitation attempts; and implementing network segmentation to separate network segments based on role and functionality. 

The advisory recommends using phishing-resistant multi-factor authentication (MFA) for remote access and access to any sensitive data repositories; employing strong password management alongside other attribute-based information; and implementing the principle of least privilege to decrease threat actors’ abilities to access key network resources.

It also suggests limiting the ability of a local administrator account to log in from a local interactive session and preventing access via an RDP (Remote Desktop Protocol) session; establishing policy and procedure for the prompt removal of unnecessary (disabled) accounts and groups from the enterprise that are no longer needed, especially privileged accounts, while also controlling and limiting local administration.

The document also proposed creating a change control process for all privilege escalations and role changes on user accounts; creating and deploying a secure system baseline image to all workstations; and implementing policies to block workstation-to-workstation RDP connections. 

The advisory recommends establishing a software behavior baseline to detect anomalies in behavior, and monitor for unauthorized use of remote access software using endpoint detection tools. 

Last week, the CISA and FBI released last week cybersecurity advisory that disseminates QakBot infrastructure indicators of compromise (IOCs), based on FBI investigations carried out this month. Organizations have been urged to implement the provided mitigation actions to reduce the likelihood of QakBot-related activity and promote the identification of QakBot-facilitated ransomware and malware infections.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.