In a collaborative alert published by CISA, along with the Federal Bureau of Investigation (FBI) and the Cyber National Mission Force (CNMF), it is reported that "Nation-state advanced persistent threat (APT) actors leveraged CVE-2022-47966 to gain unauthorized access to a publicly accessible application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network."

‍

While the specific threat groups responsible for these attacks remain undisclosed, there are indications from the U.S. Cyber Command hinting at potential involvement by Iranian nation-state actors.

‍

These findings have arisen from an incident response engagement conducted by CISA at an unnamed organization in the aeronautical sector, spanning from February to April 2023. The malicious activity appears to have initiated as early as January 18, 2023.

‍

CVE-2022-47966 represents a critical remote code execution vulnerability, allowing an unauthenticated attacker to gain complete control over vulnerable instances. Following the successful exploitation of this vulnerability, the threat actors achieved root-level access to the web server, subsequently downloading additional malware, conducting network reconnaissance, harvesting administrative user credentials, and advancing laterally within the network. At this point, it remains uncertain whether any proprietary information was exfiltrated during these attacks.

‍

In addition to CVE-2022-47966, the threat actors also exploited another entry point, leveraging CVE-2022-42475 - a severe flaw in Fortinet FortiOS SSL-VPN, granting them access to the organization's firewall.

‍

CISA disclosed that the APT actors compromised and employed disabled yet legitimate administrative account credentials from a previously contracted employee, despite confirmation from the organization that this user's account had been disabled prior to the observed malicious activity.

‍

The attackers were noted for initiating multiple Transport Layer Security (TLS)-encrypted sessions to various IP addresses, indicating data transfer from the firewall device. They further utilized valid credentials to transition from the firewall to a web server, deploying web shells for backdoor access. In both scenarios, the threat actors took measures to deactivate administrative account credentials and erase logs from critical servers, aiming to conceal their tracks.

‍

CISA observed that between early February and mid-March 2023, the "anydesk.exe" executable was identified on three hosts, with APT actors compromising one host and subsequently executing the executable on the other two.

‍

The exact method of AnyDesk installation on these machines remains unknown. Another tactic employed by the attackers involved the legitimate ConnectWise ScreenConnect client to download and execute the credential dumping tool known as Mimikatz.

‍

Additionally, the threat actors endeavored to exploit a known Apache Log4j vulnerability (CVE-2021-44228 or Log4Shell) within the ServiceDesk system for initial access, although this attempt ultimately proved unsuccessful.

‍

You can review the report here.

‍

_{Author: Nessa, Cyber Journalist}

_{Source: http://surl.li/liclq}

_{Photo: Aleksandarlittlewolf/Freepik}

‍