Government-backed hacker groups penetrated a prominent U.S. aeronautical entity by exploiting significant Zoho and Fortinet vulnerabilities. This was divulged in a joint advisory issued by CISA, the FBI, and the United States Cyber Command (USCYBERCOM) on Thursday.

The exact identities of the hacking collectives responsible for this intrusion remain undisclosed. Although the advisory did not directly attribute the breach to a particular nation, USCYBERCOM associated these cyber adversaries with Iranian cyber activities.

During the months of February to April, CISA played a role in the incident response. They identified that these hacker groups had been present in the aeronautical organization’s systems since at least January. This access was achieved by compromising an outward-facing server that operated both Zoho ManageEngine ServiceDesk Plus and a Fortinet firewall.

The advisory stated that “CISA, FBI, and CNMF have verified that certain nation-state advanced persistent threat (APT) actors harnessed CVE-2022-47966, enabling unauthorized access to a public application (Zoho ManageEngine ServiceDesk Plus). They subsequently maintained persistence and maneuvered across the network. This flaw facilitates remote code execution on the ManageEngine application. Furthermore, other APT entities utilized CVE-2022-42475 to mark their presence on the organization’s firewall apparatus.”

These U.S. agencies cautioned that such hacking entities continually search for vulnerable outward-facing devices, particularly those lacking protection against critical and easily exploitable security defects.

Once these hackers establish a foothold within a network, they sustain their presence on compromised network components. It’s believed that such compromised devices would serve dual purposes – for lateral progression inside the compromised networks and as malicious bases, or both.

For safeguarding network assets, experts recommend embracing the mitigation strategies outlined in the advisory and adhering to the NSA’s guidelines for infrastructure security. Such measures encompass safeguarding all systems from all identified vulnerabilities, staying vigilant against unauthorized remote access software operations, and deleting redundant (inactive) user profiles and groups, with a keen focus on elevated privilege accounts.

In the past, the urgency to fortify systems has been highlighted on multiple occasions:

• CISA had directed federal entities to bolster their defenses against CVE-2022-47966 exploits in January. This directive followed close on the heels of cybercriminals aiming at unprotected ManageEngine instances online, particularly after the public unveiling of an exploit’s proof-of-concept.
• Later, the North Korean Lazarus hacker collective leveraged the Zoho vulnerability, managing to penetrate healthcare institutions and a primary internet infrastructure service provider.
• Separate warnings from the FBI and CISA highlighted the continuous efforts of state-backed entities to exploit ManageEngine defects, targeting sectors like finance and health.
• Similarly, the CVE-2022-42475 vulnerability in FortiOS SSL-VPN had been used in cyber offensives against governmental entities and similar high-profile targets, a fact disclosed by Fortinet in January. They further noted the downloading of additional harmful payloads onto the compromised systems during these breaches – payloads that remained elusive for subsequent examination.

Concluding with a piece of advice, users were initially encouraged to update their systems against active threats in December, especially after Fortinet silently addressed the flaw on November 28, without publicly acknowledging its active exploitation.