web analytics

Feds Urge Immediately Patching of Zoho and Fortinet Products – Source: www.govinfosecurity.com

feds-urge-immediately-patching-of-zoho-and-fortinet-products-–-source:-wwwgovinfosecurity.com
Rate this post

Source: www.govinfosecurity.com – Author: 1

Attack Surface Management
,
Critical Infrastructure Security
,
Cyberwarfare / Nation-State Attacks

Multiple Nation-State Hacking Groups Actively Exploiting Known Vulnerabilities

Mathew J. Schwartz (euroinfosec) •
September 8, 2023    

Feds Urge Immediately Patching of Zoho and Fortinet Products

Multiple nation-state hacking groups have been exploiting known flaws in Zoho ManageEngine software and Fortinet firewalls for which patches are available, cybersecurity officials warn.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

In a new alert, the U.S. Cybersecurity and Infrastructure Security Agency includes details of how both vulnerabilities are being exploited, via an investigation it conducted from February through April at an unnamed organization in the aeronautical sector.

CISA found that beginning in January, multiple APT groups separately exploited two different critical vulnerabilities to gain unauthorized access and exfiltrate data from the organization.

Both of the unrelated flaws – CVE-2022-47966 in Zoho ManageEngine and CVE-2022-42475 in Fortinet FortiOS SSL VPN – have been classified as being of critical severity, meaning they can be exploited to remotely execute code, allowing attackers to take control of the system and pivot to other parts of the network. Each of the vendors issued updates patching their flaws in late 2022. Researchers refer to these as N-day vulnerabilities, meaning known flaws, as opposed to zero-day vulnerability for which no patch is yet available.

The alert, issued by CISA, the FBI and U.S. Cyber Command’s Cyber National Mission Force, includes details of how attackers used each of the flaws to gain wider access to victims’ networks. The advisory doesn’t state which nation or nations’ APT groups have been tied to known exploits of these flaws. Private sector reporting has previously tied hackers aligned with China, Iran and North Korea to known exploits of these vulnerabilities.

Target: Zoho ManageEngine

Last October, Zoho warned that multiple ManageEngine OnPremise products, including such IT management tools as ServiceDesk Plus and Vulnerability Manager Plus, have an “unauthenticated remote code execution vulnerability” – CVE-2022-47966 – due to the use of “an outdated third party dependency” involving Apache Santuario. The vendor issued patches for affected products last October and November. Proof-of-concept code for exploiting the flaw appeared on Jan. 19.

In the case of the hacked aeronautical firm, the report from CISA and other U.S. government investigators says attackers exploited the vulnerability on Jan. 20 to gain root-level access to the firm’s web server hosting the public-facing Zoho ManageEngine ServiceDesk Plus application. From there, attackers downloaded further malware, explored the network, used Mimikatz to steal administrator credentials, installed a variant of Metasploit called Meterpreter, added persistence via SSH, launched remote desktop protocol connections and more.

Government investigators “were unable to determine if proprietary information was accessed, altered or exfiltrated,” the report said. “This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage.”

While the report doesn’t attribute the attack, Microsoft has reported that Iranian hackers began launching attacks targeting the vulnerability the same day that the POC code was released. The technology giant traced some of those attacks to a group it’s codenamed Mint Sandstorm, which includes the participation of the Islamic Revolutionary Guard Corps, and which is also known as APT42, Cobalt Illusion and TA453.

“Patching this vulnerability is useful beyond this specific campaign as several adversaries are exploiting CVE-2022-47966 for initial access,” Microsoft reported at the time.

Attackers have continued to abuse the flaw. Last month, Cisco Talos detailed an espionage campaign, which appeared to trace to North Korea’s Lazarus Group, that targeted the Zoho ManageEngine vulnerability to deploy a Trojan called QuiteRAT. Cisco Talos said the campaign began in May and appeared to focus on hitting U.S. and European internet backbone infrastructure and healthcare entities.

Target: Fortinet FortiOS

The aeronautical firm also fell victim to an attack – launched by a different group to the one that exploited its Zoho ManageEngine software – that gained access to its Fortinet firewall, CISA reported.

The exploited CVE-2022-42475 vulnerability in FortiOS SSL VPN devices is a “heap-based buffer overflow vulnerability” attackers can use to remotely execute code or commands, Fortinet reported when releasing patches for the flaw on Dec. 12, 2022. At that time, it said the vulnerability was already being actively exploited in the wild.

The aeronautical firm’s hacker used the flaw to access to the organization’s firewall, then made multiple VPN connections from known-malicious IP addresses, CISA said. Attackers also used legitimate credentials for a disabled administrator account previously assigned to a former contractor, investigators found.

“The organization confirmed the user had been disabled prior to the observed activity,” they reported, noting that attackers reactivated the account and also deleted logs from multiple servers. “This prevented the ability to detect follow-on exploitation or data exfiltration,” which was exacerbated by the organization having failed to enable Network Address Translation IP logging, they said. Keeping NAT IP logs helps investigators trace how packets flow from external IP addresses and ports to internal clients.

As with the Zoho vulnerability exploitation, the report doesn’t attribute the attack to any given APT group. Multiple groups may be targeting this flaw.

Last January, Google’s Mandiant incident-response division reported seeing attacks targeting the vulnerability in Fortinet’s FortiOS SSL-VPN that it suspected traced to a Chinese hacking group. “The incident continues China’s pattern of exploiting internet facing devices, specifically those used for managed security purposes,” including firewalls, intrusion prevention and detection systems and more, Mandiant reported.

“Evidence suggests the exploitation was occurring as early as October 2022,” Mandiant added, noting that “identified targets include a European government entity and a managed service provider located in Africa.”

Repeat Targets

This isn’t the first time attackers have targeted vulnerabilities for which patches are available in Zoho ManageEngine and Fortinet SSL VPN products. Last month, the U.S. and its Five Eyes intelligence partners – Australia, Canada, New Zealand and the U.K. – issued a joint security advisory detailing the 12 vulnerabilities criminals and APT groups most often exploited in 2022 (see: Patching Conundrum: 5-Year-Old Flaw Again Tops Most-Hit List).

One of those is an improper authentication flaw in Zoho ManageEngine, designated CVE-2021-40539, which the vendor patched in September 2021.

Another one of the top 12 vulnerabilities is a path traversal flaw in Fortinet SSL VPN, designated CVE-2018-13379, which the vendor patched in May 2019.

Four years later, officials warned, attackers are continuing to abuse the FortiOS flaw to gain easy access to corporate networks. “The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors,” the advisory said.

Original Post URL: https://www.govinfosecurity.com/feds-urge-immediately-patching-zoho-fortinet-products-a-23038

Category & Tags: –

Views: 0

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Joas Antonio
ChatGPT for Cybersecurity by Joas Antonio dos Santos – malwareanalysis #reverseengineering
ChatGPT for Cybersecurity by Joas...
CISO2CISO Notepad Series
How Can We Structure Cybersecurity Teams To Better Integrate Security In Agile At Scale?
How Can We Structure Cybersecurity...
OCCUPYTHEWEB
Linux Basics for Hackers by Occupytheweb
Linux Basics for Hackers by...
NIST
Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) by NIST – Eran Salfati and Michael Pease
Digital Forensics and Incident Response...
Think Big Blog
Top 10 TED Talks to Learn about Cyber Security
Top 10 TED Talks to...
NCSC
NCSC Cyber Security for Small Business “SMEs” Guide.
NCSC Cyber Security for Small...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...
IZZMIER
Incident Response Playbooks & Workflows Ready for use in your SOC & Redteams
Incident Response Playbooks & Workflows...
LOGPOINT
396 Use Cases & Siem Rules Code ready for use for Mitre Attacks Events Detection in Your SOC by Logpoint
396 Use Cases & Siem...

LASTEST PUBLISHED POSTS

CASOS DE USO APLICABLES EN UN SIEM
CASOS DE USO APLICABLES EN...
IGNITE Technologies
Burp Suite for Pentester
Burp Suite for Pentester
The Institute of Internal auditors
Auditing Risk Culture
Auditing Risk Culture
DevSecOps Guide
ATTACKING PHP APPLICATIONS
ATTACKING PHP APPLICATIONS
DevSecOps Guide
ATTACKING KUBERNETES WITH SECURITY BEST PRACTICE
ATTACKING KUBERNETES WITH SECURITY BEST...
CLTC WHITE PAPER SERIES
Guidance for the Development of AI Risk and Impact Assessments
Guidance for the Development of...
Active Directory
Active Directory IT AuditChecklist
Active Directory IT AuditChecklist
A guide to business continuity planning
A guide to business continuity...
LOG RHYTHM
Using MITRE ATT&CK™ in Threat Huntingand Detection
Using MITRE ATT&CK™ in Threat...
Kaspersky
H2 2023 – A brief overviewof main incidentsin industrial cybersecurity
H2 2023 – A brief...
Andrey Prozorov
24 Great Cybersecurity Frameworks
24 Great Cybersecurity Frameworks
ENISA-EUROPA
SEGURIDAD DE TELECOMUNICACIONES
SEGURIDAD DE TELECOMUNICACIONES

More Latest Published Posts

SF-ISAC
Digital Operational Resilience Act
Digital Operational Resilience Act
SYNGRESS
DIGITAL FORENSICS WITH Open Source TOOLS
DIGITAL FORENSICS WITH Open Source TOOLS
IT REVOLUTION DEVOPS ENTERPRISE FORUM
DevOps Automated Governance Reference Architecture
DevOps Automated Governance Reference Architecture
SANS GIAC CERTIFICATIONS
Detecting Attacks on Web Applications from Log Files
Detecting Attacks on Web Applications from Log Files
EUROPEAN DATA PROTECTION SUPERVISOR
ANNUAL REPORT 2023
ANNUAL REPORT 2023
TechTarget
IT Disaster Recovery Plan Template
IT Disaster Recovery Plan Template
Opstune
IOC Scan Framework v2.0
IOC Scan Framework v2.0
Federal Office for Information Security
Indirect Prompt Injections
Indirect Prompt Injections
the Department of the Environment Climate and Communications
Guidelines on CyberSecurity Specifications
Guidelines on CyberSecurity Specifications
Edelman
INCIDENT RESPONSE REFERENCE GUIDE
INCIDENT RESPONSE REFERENCE GUIDE
Security METRICS
Security Metrics Guide to PCI DSS Compliance
Security Metrics Guide to PCI DSS Compliance
SOC TIPS Cybersecurity
Guia de Resposta a Incidentes de Segurança para LGPD
Guia de Resposta a Incidentes de Segurança para LGPD
CDCP
FIREWALL Audit CHECKLIST
FIREWALL Audit CHECKLIST
GitGuardian
Secrets Management Maturity Model
Secrets Management Maturity Model
MegaCorp One
Sample Penetration Test Report
Sample Penetration Test Report
FORTINET
Routing in FortiGate
Routing in FortiGate
FUTURE OF PRIVACY FORUM
Risk Framework Body Related Data (PD) Immersive Tech
Risk Framework Body Related Data (PD) Immersive Tech
ENISA
Remote ID Proofing Good Practices
Remote ID Proofing Good Practices
Google
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Why Red TeamsPlay a Central Rolein Helping OrganizationsSecure AI Systems
Red Canary
Threat Detection Report 2024
Threat Detection Report 2024
HADESS
Pwning the Domain Persistence
Pwning the Domain Persistence
Australian Goverment
PROTECTIVE SECURITYPOLICY FRAMEWORKSecuring government business:Protective security guidance for executive
PROTECTIVE SECURITYPOLICY FRAMEWORKSecuring government business:Protective security guidance for executive
CISC (Comité Internacional Sobre Ciberseguridad)
Política Nacional de Ciberseguridad 2023-2028
Política Nacional de Ciberseguridad 2023-2028
Google
Perspectiveson Securityfor the Board
Perspectiveson Securityfor the Board
HADESS
OSINT Method for Map Investigations
OSINT Method for Map Investigations
CCN-CERT
Observatorio Riesgos Ciberseguridad 2024
Observatorio Riesgos Ciberseguridad 2024
CYBERTHEORY
The ISMG Cybersecurity Pulse Report 2024 is a treasure trove of insights from the RSA Conference, revealing the dynamic landscape of cybersecurity. From AI to Zero Trust: A comprosive guide to the key themes and expert opinions from RSA CONFERENCE 2024 – #RSAC2024
The ISMG Cybersecurity Pulse Report 2024 is a treasure trove of insights from the RSA Conference, revealing the dynamic landscape of cybersecurity. From AI to Zero Trust: A comprosive guide to the key themes and expert opinions from RSA CONFERENCE 2024 – #RSAC2024
FORTINET
Bloking Malware Through Antivirus Security Profile in FortiGate
Bloking Malware Through Antivirus Security Profile in FortiGate