At an Aeronautical Sector organization, in early January 2023, the following security entities discovered the presence of IOCs (indicators of compromise):-
- The Cybersecurity and Infrastructure Security Agency (CISA)
- Federal Bureau of Investigation (FBI)
- Cyber National Mission Force (CNMF)
Nation-state APT actors used CVE-2022-47966 for unauthorized access via Zoho ManageEngine ServiceDesk Plus, while CVE-2022-42475 was exploited to access the FortiOS SSL-VPN firewall device.
Initial Access Vectors
CISA responded to the organization’s request, finding nation-state APT actors on the network from January 2023 via two initial access vectors.
Here below, we have mentioned the two initial vectors:-
- Initial Access Vector 1: CVE-2022-47966 allowed APT actors to breach the Zoho ManageEngine ServiceDesk Plus web server hosting.
- Initial Access Vector 2: To access the firewall device of the organization, CVE-2022-42475 was exploited by the APT actors.
Besides this, multiple APT actors using similar tactics were found by the CISA and partners. It’s been found that threat actors frequently scan for and exploit vulnerabilities in internet-facing devices to expand access or serve as malicious infrastructure, particularly:-
- Edge network infrastructure
Here below we have mentioned all the observed IP addresses:-
Tools Used by APT Actors
Here below, we have mentioned all the tools that APT Actors use:-
Here below, we have mentioned all the detection methods that the security analysts provide:-
- Enable logging for new user creation.
- Monitor for newly constructed scheduled tasks.
- Monitor for API calls that may create or modify Windows services.
- Monitor executed commands and arguments that may attempt to access credential material.
- Monitor for user accounts logged into systems associated with RDP.
- Monitor for newly-constructed network connections associated with pings/scans.
- Conduct full port scans (1-65535) on internet-facing systems.
Here below, we have mentioned all the provided mitigations:-
- Make sure to properly manage the vulnerabilities and configurations.
- Network segmentation is necessary.
- Accounts, Permissions, and Workstations must be managed properly.
- Always make sure to secure remote access software.
- All the scheduled tasks must be audited.
- All the findings must be validated.
- Make sure to use the application allowlists.
- All the security controls must be verified properly.