Hacking

Nation-state actors exploit Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus, CISA warns

U.S. CISA warned that nation-state actors are exploiting flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that nation-state actors are exploiting security vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus.

The US agency has detected the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023.

The state-sponsored hackers exploited the CVE-2022-47966 RCE vulnerability in Zoho ManageEngine. The CVE-2022-47966 flaw is an unauthenticated remote code execution vulnerability that impacts multiple Zoho products with SAML SSO enabled in the ManageEngine setup. The issue also impacts products that had the feature enabled in the past. The vulnerability was addressed by the company on October 27th, 2022.

The root cause of the problem is that ManageEngine products use an outdated third-party dependency, Apache Santuario.

“This vulnerability allows an unauthenticated adversary to execute arbitrary code when the above SAML SSO criteria is met.” reads the advisory.

In January, Horizon3 researchers released last week a proof-of-concept (PoC) exploit for the CVE-2022-47966 along with technical analysis. The experts developed the PoC exploit by examining the differences between ServiceDesk Plus version 14003 and version 14004. 

“The vulnerability allows an attacker to gain remote code execution by issuing a HTTP POST request containing a malicious SAML response. This vulnerability is a result of  using an outdated version of Apache Santuario for XML signature validation.” reads the analysis. “One of the critical pieces is understanding that the information flow uses the client’s browser to relay all information between the Service Provider (SP) and the Identity Provider (IDP). In this attack, we send a request containing malicious SAML XML directly to the service provider’s Assertion Consumer (ACS) URL.”

The researchers tested their PoC exploit against Endpoint Central, however, they believe it can work on many of the ManageEngine products that share some of their codebase with ServiceDesk Plus or EndpointCentral.

“The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023.” reads the alert published by the US CISA. “Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application.”

The US CISA also reported that multiple APT groups were observed exploiting CVE-2022-42475 to establish a presence on the organization’s firewall device.

In December, Fortinet urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.

The CVE-2022-42475 flaw is a heap-based buffer overflow weakness that resides in FortiOS sslvpnd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution.

“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory published by the security vendor. “Fortinet is aware of an instance where this vulnerability was exploited in the wild,”

In the attack detailed in the CISA alert, as early as January 2023, APT actors exploited the vulnerability CVE-2022-47966 for initial access to the target organization. The attackers gained access to a web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus.

Threat actors achieved root level access on the web server and created a local user account named ‘Azure’ with administrative privileges.

Then the nation-state actors downloaded malware, enumerated the network, collected administrative user credentials, and performed lateral movement. It is unclear if the attackers gained access to proprietary information or altered it.

“Additional APT actors exploited CVE-2022-42475 on the organization’s firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. It was identified that APT actors compromised and used disabled, legitimate administrative account credentials [T1078.003] from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.” continues the alert. “Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment [T1070.001]. This prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled.”

The attackers have initiated multiple Transport Layer Security (TLS)-encrypted sessions to multiple IP addresses, indicating successful exchanges of data transfer from the firewall device.

Nation-state actors disabled administrative account credentials to delete logs from several critical servers in the targeted network.

The attackers used a Meterpreter as an interactive shell that allowed them remotely control the system.

Between early-February and mid-March 2023, the government experts observed the presence of anydesk.exe on three hosts. The attackers compromised one host and moved laterally to install the executable on the remaining two.

The actors used the legitimate ConnectWise ScreenConnect client to download and utilize the credential dumping tool Mimikats.

The attackers also failed in attempting to to exploit the CVE-2021-44228 Apache Log4j vulnerability in the ServiceDesk system.

“Advance persistent threat actors often scan internet-facing devices for vulnerabilities that can be easily be exploited and will continue to do so.” concludes the alert published by US Cyber Command.

“CNMF and our interagency partners urge organizations to review this CSA and implement the recommended mitigation strategies, which include CISA’s cross-sector cybersecurity performance goals and NSA’s recommended best practices for securing remotely accessible software.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet FortiOS SSL-VPN)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

SentinelOne warns of threat actors targeting its systems and high-value clients

SentinelOne warns China-linked APT group PurpleHaze attempted reconnaissance on its systems and high-value clients. Cybersecurity…

3 hours ago

Google Threat Intelligence Group (GTIG) tracked 75 actively exploited zero-day flaws in 2024

Google tracked 75 zero-day flaws exploited in 2024, down from 98 in 2023, according to…

9 hours ago

VeriSource data breach impacted 4M individuals

VeriSource breach exposed data of 4M people in Feb 2024; stolen info includes personal details…

12 hours ago

U.S. CISA adds Qualitia Active! Mail, Broadcom Brocade Fabric OS, and Commvault Web Server flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Qualitia Active! Mail, Broadcom Brocade Fabric OS,…

14 hours ago

The Turmoil Following BreachForums Shutdown: Confusion, Risks, and a New Beginning

BreachForums, a major data leak marketplace, shut down on April 15 after a MyBB 0-day…

1 day ago

Earth Kurma APT is actively targeting government and telecommunications orgs in Southeast Asia

Earth Kurma APT carried out a sophisticated campaign against government and telecommunications sectors in Southeast…

1 day ago

This website uses cookies.