Multiple APT Hacker Groups Exploiting FortiOS SSL-VPN & Manage ServiceDesk Plus Flaws

FortiOS SSL-VPN safeguards against data breaches, while ManageEngine ServiceDesk Plus offers an integrated help desk and asset management for IT resources.

At an Aeronautical Sector organization, in early January 2023, the following security entities discovered the presence of IOCs (indicators of compromise):-

  • The Cybersecurity and Infrastructure Security Agency (CISA)
  • Federal Bureau of Investigation (FBI)
  • Cyber National Mission Force (CNMF)

Nation-state APT actors used CVE-2022-47966 for unauthorized access via Zoho ManageEngine ServiceDesk Plus, while CVE-2022-42475 was exploited to access the FortiOS SSL-VPN firewall device.

Initial Access Vectors

CISA responded to the organization’s request, finding nation-state APT actors on the network from January 2023 via two initial access vectors.

Here below, we have mentioned the two initial vectors:-

  • Initial Access Vector 1: CVE-2022-47966 allowed APT actors to breach the Zoho ManageEngine ServiceDesk Plus web server hosting.
  • Initial Access Vector 2: To access the firewall device of the organization, CVE-2022-42475 was exploited by the APT actors.

Besides this, multiple APT actors using similar tactics were found by the CISA and partners. It’s been found that threat actors frequently scan for and exploit vulnerabilities in internet-facing devices to expand access or serve as malicious infrastructure, particularly:-

  • Firewalls
  • VPNs
  • Edge network infrastructure

Observed IPs

Here below we have mentioned all the observed IP addresses:-

  • 192.142.226[.]153
  • 144.202.2[.]71
  • 207.246.105[.]240
  • 45.77.121[.]232
  • 47.90.240[.]218
  • 45.90.123[.]194
  • 154.6.91[.]26
  • 154.6.93[.]22
  • 154.6.93[.]5
  • 154.6.93[.]12
  • 154.6.93[.]32
  • 154.6.93[.]24
  • 184.170.241[.]27
  • 191.96.106[.]40
  • 102.129.145[.]232

Tools Used by APT Actors

Here below, we have mentioned all the tools that APT Actors use:-

Detection methods

Here below, we have mentioned all the detection methods that the security analysts provide:-

  • Enable logging for new user creation.
  • Monitor for newly constructed scheduled tasks.
  • Monitor for API calls that may create or modify Windows services.
  • Monitor executed commands and arguments that may attempt to access credential material.
  • Monitor for user accounts logged into systems associated with RDP.
  • Monitor for newly-constructed network connections associated with pings/scans.
  • Conduct full port scans (1-65535) on internet-facing systems.


Here below, we have mentioned all the provided mitigations:-

  • Make sure to properly manage the vulnerabilities and configurations.
  • Network segmentation is necessary.
  • Accounts, Permissions, and Workstations must be managed properly.
  • Always make sure to secure remote access software.
  • All the scheduled tasks must be audited.
  • All the findings must be validated.
  • Make sure to use the application allowlists.
  • All the security controls must be verified properly.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.