Nation-state actors exploit Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus, CISA warns

U.S. CISA warned that nation-state actors are exploiting flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that nation-state actors are exploiting security vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus.

The US agency has detected the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023.

The state-sponsored hackers exploited the CVE-2022-47966 RCE vulnerability in Zoho ManageEngine. The CVE-2022-47966 flaw is an unauthenticated remote code execution vulnerability that impacts multiple Zoho products with SAML SSO enabled in the ManageEngine setup. The issue also impacts products that had the feature enabled in the past. The vulnerability was addressed by the company on October 27th, 2022.

The root cause of the problem is that ManageEngine products use an outdated third-party dependency, Apache Santuario.

“This vulnerability allows an unauthenticated adversary to execute arbitrary code when the above SAML SSO criteria is met.” reads the advisory.

In January, Horizon3 researchers released last week a proof-of-concept (PoC) exploit for the CVE-2022-47966 along with technical analysis. The experts developed the PoC exploit by examining the differences between ServiceDesk Plus version 14003 and version 14004. 

“The vulnerability allows an attacker to gain remote code execution by issuing a HTTP POST request containing a malicious SAML response. This vulnerability is a result of  using an outdated version of Apache Santuario for XML signature validation.” reads the analysis. “One of the critical pieces is understanding that the information flow uses the client’s browser to relay all information between the Service Provider (SP) and the Identity Provider (IDP). In this attack, we send a request containing malicious SAML XML directly to the service provider’s Assertion Consumer (ACS) URL.”

The researchers tested their PoC exploit against Endpoint Central, however, they believe it can work on many of the ManageEngine products that share some of their codebase with ServiceDesk Plus or EndpointCentral.

“The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023.” reads the alert published by the US CISA. “Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application.”

The US CISA also reported that multiple APT groups were observed exploiting CVE-2022-42475 to establish a presence on the organization’s firewall device.

In December, Fortinet urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.

The CVE-2022-42475 flaw is a heap-based buffer overflow weakness that resides in FortiOS sslvpnd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution.

“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory published by the security vendor. “Fortinet is aware of an instance where this vulnerability was exploited in the wild,”

In the attack detailed in the CISA alert, as early as January 2023, APT actors exploited the vulnerability CVE-2022-47966 for initial access to the target organization. The attackers gained access to a web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus.

Threat actors achieved root level access on the web server and created a local user account named ‘Azure’ with administrative privileges.

Then the nation-state actors downloaded malware, enumerated the network, collected administrative user credentials, and performed lateral movement. It is unclear if the attackers gained access to proprietary information or altered it.

“Additional APT actors exploited CVE-2022-42475 on the organization’s firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. It was identified that APT actors compromised and used disabled, legitimate administrative account credentials [T1078.003] from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.” continues the alert. “Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment [T1070.001]. This prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled.”

The attackers have initiated multiple Transport Layer Security (TLS)-encrypted sessions to multiple IP addresses, indicating successful exchanges of data transfer from the firewall device.

Nation-state actors disabled administrative account credentials to delete logs from several critical servers in the targeted network.

The attackers used a Meterpreter as an interactive shell that allowed them remotely control the system.

Between early-February and mid-March 2023, the government experts observed the presence of anydesk.exe on three hosts. The attackers compromised one host and moved laterally to install the executable on the remaining two.

The actors used the legitimate ConnectWise ScreenConnect client to download and utilize the credential dumping tool Mimikats.

The attackers also failed in attempting to to exploit the CVE-2021-44228 Apache Log4j vulnerability in the ServiceDesk system.

“Advance persistent threat actors often scan internet-facing devices for vulnerabilities that can be easily be exploited and will continue to do so.” concludes the alert published by US Cyber Command.

“CNMF and our interagency partners urge organizations to review this CSA and implement the recommended mitigation strategies, which include CISA’s cross-sector cybersecurity performance goals and NSA’s recommended best practices for securing remotely accessible software.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet FortiOS SSL-VPN)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

London hospitals canceled over 800 operations in the week after Synnovis ransomware attack

NHS England confirmed that multiple London hospitals impacted by the ransomware attack at Synnovis were…

9 hours ago

DORA Compliance Strategy for Business Leaders

In January 2025, European financial and insurance institutions, their business partners and providers, must comply…

1 day ago

CISA adds Android Pixel, Microsoft Windows, Progress Telerik Report Server bugs to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Android Pixel, Microsoft Windows, Progress Telerik Report…

2 days ago

City of Cleveland still working to fully restore systems impacted by a cyber attack

Early this week, the City of Cleveland suffered a cyber attack that impacted multiple services.…

2 days ago

Two Ukrainians accused of spreading Russian propaganda and hack soldiers’ phones

Ukraine’s security service (SBU) detained two individuals accused of supporting Russian intelligence in spreading propaganda…

2 days ago

Google fixed an actively exploited zero-day in the Pixel Firmware

Google is warning of a security vulnerability impacting its Pixel Firmware that has been actively…

3 days ago

This website uses cookies.