Aviation sector organization hit by exploit of CVE duo

Exploits of a pair of known vulnerabilities in Zoho and Fortinet products are behind attacks on an aeronautical sector organization earlier this year, federal authorities said Thursday in a joint advisory.

The dual-CVE exploit of unrelated initial access vectors featured an “array of threat actor activity,” including overlapping tactics, techniques and procedures from multiple nation-state APT actors, the Cybersecurity and Infrastructure Security Agency, FBI and Cyber National Mission Force said in the advisory.

Cybersecurity authorities did not identify the victim, threat actors or nation states linked to these attacks. They also did not disclose the number of APT actors involved in this attack against a single entity.

The multiparty, multi-exploit attack against a critical infrastructure sector organization in the aeronautical industry stresses the extent to which APT actors will collaborate to initiate attacks against one organization designated as vital to U.S. national security, economic security and public safety.

“Right now the scope and scale of attacks, targeted and opportunistic, being leveled at all organizations but especially those organizations that are labeled critical infrastructure is overwhelming,” Allan Liska, threat intelligence analyst and solutions architect at Recorded Future, said via email.

The APT actors’ activity began Jan. 18 and continued for seven weeks, according to a timeline of events discovered during CISA’s incident response.

“APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited,” the alert said.

“Firewall, VPNs, and other edge network infrastructure continue to be of interest to malicious cyber actors. When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both,” officials said.

APT actors initially exploited CVE-2022-47966, which allows remote-code execution across multiple Zoho ManageEngine on-premise products, in mid January, officials said.

The Zoho vulnerability exploit allowed APT actors to download malware, collect administrative user credentials and move laterally through the victim’s network after gaining access to a public-facing instance of Zoho ManageEngine ServiceDesk Plus.

Despite a monthslong engagement that ended in April, CISA, the FBI and CNMF were unable to determine if proprietary data was accessed, altered or exfiltrated via this exploit. The targeted organization did not have data centrally located and CISA had limited network sensor coverage, officials said.

Other APT actors exploited CVE-2022-42475, a heap-based overflow vulnerability in Fortinet’s FortiOS, starting Feb. 1, according to the advisory.

This follow-on exploit of a Fortinet vulnerability compromised legitimate administrative account credentials, data exfiltration from the organization’s firewall device and multiple web shell installs on the organization’s web servers.

Cyberattacks involving multiple APTs targeting the same victim are common and bound to happen with so many nation-state linked actors targeting the same types of targets, according to Liska.

“The aerospace industry is of incredible value to a wide range of APTs, so it would not surprise me to see multiple APTs exploiting vulnerabilities to gain access to any intelligence held by the company,” Liska said.