According to an advisory by federal authorities on Thursday, a recent attack on an organization in the aeronautical sector was carried out using exploits of known vulnerabilities in Zoho and Fortinet products.
The advisory revealed that the attack involved the exploitation of two vulnerabilities (CVEs) through different initial access methods. It also mentioned that nation-state advanced persistent threat (APT) actors employed overlapping tactics, techniques, and procedures during this cyberattack.
The advisory did not disclose the identity of the victim organization, the threat actors involved, or the nation-states associated with these attacks. Additionally, it withheld information regarding the number of APT actors participating in this targeted operation against an entity.
This multiparty and multi-exploit attack on an infrastructure organization within the aeronautical industry emphasizes how APT actors are willing to collaborate to target organizations deemed crucial for U.S. National security, economic stability, and public safety.
Allan Liska, a threat intelligence analyst and solutions architect at Recorded Future, expressed via email that there is an overwhelming surge of attacks targeting all organizations, particularly those categorized as critical infrastructure.
According to a timeline of events discovered during CISAs incident response, the activity of APT actors began on January 18 and continued for seven weeks.
The alert mentioned that APT actors often scan internet-facing devices to find vulnerabilities that can be easily exploited.
Officials emphasized that malicious cyber actors are still interested in firewall, VPNs, and other edge network infrastructure. When these are targeted they can be used to expand access to the targeted network, serve as infrastructure, or even both.
In mid-January, APT actors initially took advantage of CVE 2022 47966. This vulnerability allows remote code execution across Zoho ManageEngine on-premise products.
By exploiting the Zoho vulnerability, APT actors were able to download malware and gather user credentials. After gaining access, They could move laterally through the victim's network to a facing instance of Zoho ManageEngine ServiceDesk Plus.
Although CISA, the FBI, and CNMF engaged in investigations for months until April, they were unable to determine whether proprietary data was accessed, altered, or exfiltrated through this exploit. The targeted organization did not have centralized data storage, and CISA had limited network sensor coverage.
According to the advisory, there have been reports of cyber threat groups taking advantage of a vulnerability in Fortinets FortiOS called CVE 2022 42475 since February 1.
As a result of this exploit, legitimate administrative account credentials were compromised, resulting in data being extracted from the organization's firewall device. Additionally, multiple web shells were installed on the organization's web servers.
It is not uncommon for cyber threat actors to target the same victim simultaneously. This is especially true regarding nation-state-linked actors who often go after types of targets. Liska mentioned that given the aerospace industry's value, it wouldn't be surprising to see multiple cyber threat groups exploiting vulnerabilities to gain access to valuable intelligence held by companies operating within that sector.