Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,511
- Points
- 113
Last year's vulnerabilities in popular Zoho and Fortinet products were used for hacking.
US cybersecurity and intelligence agencies have reported that Iranian-backed hacking groups have infiltrated an unnamed US aviation organization. Attackers used vulnerabilities in popular Zoho and Fortinet products to gain access to the network and move around it.
In a joint statement released on September 7, the U.S. Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyberspace Command (USCYBERCOM) did not name the specific groups behind the breach, but linked them to the Iranian government.
CISA was involved in the response to the incident from February to April and reported that the hackers had been on the compromised network of the aviation organization since at least January. They hacked into an Internet-accessible server running Zoho ManageEngine ServiceDesk Plus and the Fortinet firewall.
"Attackers exploited the vulnerability CVE-2022-47966 to gain unauthorized access to a publicly available application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move around the network. This vulnerability allows remote code execution in the ManageEngine application," the statement said.
"Other hackers were also seen exploiting the CVE-2022-42475 vulnerability in FortiOS SSL VPN to establish a presence on an organization's firewall device."
According to the authorities, the attackers involved often scan devices accessible from the Internet for uncorrected software configurations and easily exploited security errors.
Once the target's network is penetrated, hackers maintain persistence on the compromised network infrastructure components, which can be used as intermediate links or as malicious infrastructure.
Network security experts recommend applying the mitigation measures described in the joint statement, as well as the NSA's best practices for ensuring infrastructure security.
These practices include ensuring that all systems are protected from all known exploitable vulnerabilities, monitoring for unauthorized use of remote access software, and deleting unnecessary accounts and groups.
US cybersecurity and intelligence agencies have reported that Iranian-backed hacking groups have infiltrated an unnamed US aviation organization. Attackers used vulnerabilities in popular Zoho and Fortinet products to gain access to the network and move around it.
In a joint statement released on September 7, the U.S. Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Cyberspace Command (USCYBERCOM) did not name the specific groups behind the breach, but linked them to the Iranian government.
CISA was involved in the response to the incident from February to April and reported that the hackers had been on the compromised network of the aviation organization since at least January. They hacked into an Internet-accessible server running Zoho ManageEngine ServiceDesk Plus and the Fortinet firewall.
"Attackers exploited the vulnerability CVE-2022-47966 to gain unauthorized access to a publicly available application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move around the network. This vulnerability allows remote code execution in the ManageEngine application," the statement said.
"Other hackers were also seen exploiting the CVE-2022-42475 vulnerability in FortiOS SSL VPN to establish a presence on an organization's firewall device."
According to the authorities, the attackers involved often scan devices accessible from the Internet for uncorrected software configurations and easily exploited security errors.
Once the target's network is penetrated, hackers maintain persistence on the compromised network infrastructure components, which can be used as intermediate links or as malicious infrastructure.
Network security experts recommend applying the mitigation measures described in the joint statement, as well as the NSA's best practices for ensuring infrastructure security.
These practices include ensuring that all systems are protected from all known exploitable vulnerabilities, monitoring for unauthorized use of remote access software, and deleting unnecessary accounts and groups.
