Cyber Security News

Multiple APT Hackers Exploiting Fortinet & ManageEngine Vulnerability

FortiOS SSL-VPN safeguards against data breaches, while ManageEngine ServiceDesk Plus offers an integrated help desk and asset management for IT resources.

At an Aeronautical Sector organization, in early January 2023, the following security entities discovered the presence of IOCs (indicators of compromise):-

  • The Cybersecurity and Infrastructure Security Agency (CISA)
  • Federal Bureau of Investigation (FBI)
  • Cyber National Mission Force (CNMF)

Nation-state APT actors used CVE-2022-47966 for unauthorized access via Zoho ManageEngine ServiceDesk Plus, while CVE-2022-42475 was exploited to access the FortiOS SSL-VPN firewall device.

Initial Access Vectors

CISA responded to the organization’s request, finding nation-state APT actors on the network from January 2023 via two initial access vectors.

Here below, we have mentioned the two initial vectors:-

  • Initial Access Vector 1: CVE-2022-47966 allowed APT actors to breach the Zoho ManageEngine ServiceDesk Plus web server hosting.
  • Initial Access Vector 2: To access the firewall device of the organization, CVE-2022-42475 was exploited by the APT actors.

Besides this, multiple APT actors using similar tactics were found by the CISA and partners. It’s been found that threat actors frequently scan for and exploit vulnerabilities in internet-facing devices to expand access or serve as malicious infrastructure, particularly:-

  • Firewalls
  • VPNs
  • Edge network infrastructure

Observed IPs

Here below we have mentioned all the observed IP addresses:-

  • 192.142.226[.]153
  • 144.202.2[.]71
  • 207.246.105[.]240
  • 45.77.121[.]232
  • 47.90.240[.]218
  • 45.90.123[.]194
  • 154.6.91[.]26
  • 154.6.93[.]22
  • 154.6.93[.]5
  • 154.6.93[.]12
  • 154.6.93[.]32
  • 154.6.93[.]24
  • 184.170.241[.]27
  • 191.96.106[.]40
  • 102.129.145[.]232

Tools Used by APT Actors

Here below, we have mentioned all the tools that APT Actors use:-

Detection methods

Here below, we have mentioned all the detection methods that the security analysts provide:-

  • Enable logging for new user creation.
  • Monitor for newly constructed scheduled tasks.
  • Monitor for API calls that may create or modify Windows services.
  • Monitor executed commands and arguments that may attempt to access credential material.
  • Monitor for user accounts logged into systems associated with RDP.
  • Monitor for newly-constructed network connections associated with pings/scans.
  • Conduct full port scans (1-65535) on internet-facing systems.

Mitigations

Here below, we have mentioned all the provided mitigations:-

  • Make sure to properly manage the vulnerabilities and configurations.
  • Network segmentation is necessary.
  • Accounts, Permissions, and Workstations must be managed properly.
  • Always make sure to secure remote access software.
  • All the scheduled tasks must be audited.
  • All the findings must be validated.
  • Make sure to use the application allowlists.
  • All the security controls must be verified properly.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

GoTitan Botnet Actively Exploiting Apache ActiveMQ Vulnerability

Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…

16 hours ago

Cybercriminals are Showing Hesitation to Utilize AI When Executing Cyber Attacks

Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…

17 hours ago

Vigil: Open-source Security Scanner for LLM Models Like ChatGPT

An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…

17 hours ago

Slovenia’s Biggest Power Provider has Suffered a Cyberattack

One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…

18 hours ago

Genesis Market Technique: Hackers Exploited Node.js and EV Certificates

In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…

20 hours ago

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable to Takeover – Hunters

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 - A severe design flaw in…

2 days ago