The Cybersecurity and Infrastructure Agency (CISA) released a report on Sept. 7 revealing that hackers took advantage of major vulnerabilities in the Zoho ManageEngine ServiceDesk Plus systems to move laterally through their network.
The report, which was carried out by CISA from January to April, confirmed the attacks and their methods, as well as provided evidence that the attack may have been carried out as early as January.
“Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network,” it reads.
Researchers concluded that the hackers carried out a variety of operations, including TTPs across multiple threat actors, and a multi-stage plan that saw the hackers obtain control of the victim’s firewall and distribute malware.
“Per the activity conducted, APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited. Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors,” researchers say.
“When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both.”
While the report details that the threat actors were state-sponsored, it doesn’t directly state which state it was, nor if any proprietary information was stolen.
Previously, the same threat actors carried out an attack on Fortinet, taking advantage of an extreme vulnerability (CVE-2022-42475) to move across their network.
In both cases, the actors made sure to wipe key logs to obfuscate their movements, as well as remove admin account credentials to maintain full control over the networks. CISA recommends companies use security tokens (2FA), and follow strict security practices to avoid having their credentials stolen.
CISA also provides a list of highly technical, but effective mitigation practices you can read here.