Nation-state actors exploit Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus, CISA warns

U.S. CISA warned that nation-state actors are exploiting flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that nation-state actors are exploiting security vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus.

The US agency has detected the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023.

The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023.

The state-sponsored hackers exploited the CVE-2022-47966 RCE vulnerability in Zoho ManageEngine. The CVE-2022-47966 flaw is an unauthenticated remote code execution vulnerability that impacts multiple Zoho products with SAML SSO enabled in the ManageEngine setup. The issue also impacts products that had the feature enabled in the past. The vulnerability was addressed by the company on October 27th, 2022.

The root cause of the problem is that ManageEngine products use an outdated third-party dependency, Apache Santuario.

“This vulnerability allows an unauthenticated adversary to execute arbitrary code when the above SAML SSO criteria is met.” reads the advisory.

In January, Horizon3 researchers released last week a proof-of-concept (PoC) exploit for the CVE-2022-47966 along with technical analysis. The experts developed the PoC exploit by examining the differences between ServiceDesk Plus version 14003 and version 14004. 

“The vulnerability allows an attacker to gain remote code execution by issuing a HTTP POST request containing a malicious SAML response. This vulnerability is a result of  using an outdated version of Apache Santuario for XML signature validation.” reads the analysis. “One of the critical pieces is understanding that the information flow uses the client’s browser to relay all information between the Service Provider (SP) and the Identity Provider (IDP). In this attack, we send a request containing malicious SAML XML directly to the service provider’s Assertion Consumer (ACS) URL.”

The researchers tested their PoC exploit against Endpoint Central, however, they believe it can work on many of the ManageEngine products that share some of their codebase with ServiceDesk Plus or EndpointCentral.

“The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023.” reads the alert published by the US CISA. “Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application.”

The US CISA also reported that multiple APT groups were observed exploiting CVE-2022-42475 to establish a presence on the organization’s firewall device.

In December, Fortinet urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices.

The CVE-2022-42475 flaw is a heap-based buffer overflow weakness that resides in FortiOS sslvpnd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution.

“A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory published by the security vendor. “Fortinet is aware of an instance where this vulnerability was exploited in the wild,”

In the attack detailed in the CISA alert, as early as January 2023, APT actors exploited the vulnerability CVE-2022-47966 for initial access to the target organization. The attackers gained access to a web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus.

Threat actors achieved root level access on the web server and created a local user account named ‘Azure’ with administrative privileges.

Then the nation-state actors downloaded malware, enumerated the network, collected administrative user credentials, and performed lateral movement. It is unclear if the attackers gained access to proprietary information or altered it.

“Additional APT actors exploited CVE-2022-42475 on the organization’s firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. It was identified that APT actors compromised and used disabled, legitimate administrative account credentials [T1078.003] from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.” continues the alert. “Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment [T1070.001]. This prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled.”

The attackers have initiated multiple Transport Layer Security (TLS)-encrypted sessions to multiple IP addresses, indicating successful exchanges of data transfer from the firewall device.

Nation-state actors disabled administrative account credentials to delete logs from several critical servers in the targeted network.

The attackers used a Meterpreter as an interactive shell that allowed them remotely control the system.

Between early-February and mid-March 2023, the government experts observed the presence of anydesk.exe on three hosts. The attackers compromised one host and moved laterally to install the executable on the remaining two.

The actors used the legitimate ConnectWise ScreenConnect client to download and utilize the credential dumping tool Mimikats.

The attackers also failed in attempting to to exploit the CVE-2021-44228 Apache Log4j vulnerability in the ServiceDesk system.

“Advance persistent threat actors often scan internet-facing devices for vulnerabilities that can be easily be exploited and will continue to do so.” concludes the alert published by US Cyber Command.

“CNMF and our interagency partners urge organizations to review this CSA and implement the recommended mitigation strategies, which include CISA’s cross-sector cybersecurity performance goals and NSA’s recommended best practices for securing remotely accessible software.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet FortiOS SSL-VPN)