Multiple nation-state hackers targeted aerospace company, CISA says
U.S. security agencies have reported that multiple nation-state hackers exploited two vulnerabilities to attack an undisclosed aerospace company this year.
The agencies detected signs of a security breach at the impacted organization as far back as January, the Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory on Thursday. The FBI and U.S. Cyber Command also joined in the alert.
One of the identified vulnerabilities, tracked as CVE-2022-47966, was used by hackers to access the organization’s web server hosting the Zoho ManageEngine ServiceDesk Plus application. This software is used to manage IT services, handle incidents, improve service quality and reduce manual tasks.
The vulnerability in Zoho ManageEngine products allows hackers to remotely execute malicious code.
In the incident observed by CISA, the intruders used this flaw to gain full control of the organization’s web server and create a user account with administrative privileges. They were further able to download malware, collect user credentials, and move through the organization’s network.
Researchers couldn’t determine if any secret information was accessed, altered, or exfiltrated.
“This was due to the organization not clearly defining where their data was centrally located and CISA having limited network coverage,” the advisory said.
Another bug used by nation-state hackers to attack the aerospace organization was CVE-2022-42475. This vulnerability affects Fortinet devices and was discovered in the wild in late 2022 during an investigation into a compromised firewall.
According to CISA’s advisory, it allowed attackers to establish a presence on the organization’s firewall device.
To exploit this bug, the hackers used the login details of an administrative account from a contractor who no longer worked for the organization. The organization had already deactivated this user account before the suspicious activity occurred.
СISA's analysis showed that in this campaign hackers often used deactivated administrative accounts and erased logs from critical servers. This made it hard to detect follow-on attacks or data theft.
CISA advises organizations to report suspicious or criminal activity related to the exploitation of these bugs.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.