Cybersecurity Breach: US Aeronautical Organization Falls Victim to Zoho and Fortinet Vulnerabilities

Cyberwarfare Strikes US Aeronautical Organization: Exploitation of Zoho and Fortinet Vulnerabilities

An Overview of the Attack

In early January 2023, an advanced persistent threat (APT) group used known vulnerabilities in Zoho ManageEngine and Fortinet VPN products to hack into an organization in the aeronautical sector. The joint report from the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Cyber Command’s Cyber National Mission Force (CNMF) reveals that multiple APTs exploited two specific vulnerabilities to gain access to the organization’s network. The first vulnerability, CVE-2022-47966, allows remote attackers to execute arbitrary code on affected systems, and the second vulnerability, CVE-2022-42475, impacts multiple Fortinet VPN versions.

By exploiting CVE-2022-47966, the attackers were able to gain root level access to the web server hosting Zoho ManageEngine ServiceDesk Plus. They then created a local user account with administrative privileges, performed reconnaissance, deployed malware, harvested credentials, and moved laterally into the network. It is uncertain whether proprietary information was accessed, altered, or exfiltrated due to the organization’s unclear data location and limited network sensor coverage.

Another APT group exploited CVE-2022-42475 to compromise the organization’s firewall device and establish multiple VPN connections. They disabled admin credentials, deleted logs to hide their activities, and used various readily available tools to carry out their attack, including credential dumping tools like Mimikatz and remote access tools like anydesk.exe.

The Fallout and Lessons Learned

The breach highlights several critical issues in both cybersecurity and organizational practices. Firstly, the fact that these vulnerabilities were known and had even been patched before the attacks should serve as a reminder of the urgent need for organizations to regularly update their software and apply security patches promptly. In this case, the organization failed to patch the vulnerabilities promptly, leading to a critical breach.

Secondly, the lack of clarity regarding data location and limited network sensor coverage hindered the investigation and prevented a thorough assessment of the breach‘s impact. Organizations must have a clear understanding of where their data is stored and implement robust network monitoring and detection systems to detect and respond to potential breaches effectively.

Furthermore, the attackers exploited disabled credentials from a previously hired contractor, indicating the importance of maintaining strong access management practices. Organizations should routinely review and disable unnecessary user accounts and ensure that access privileges are promptly revoked when an employee or contractor leaves the organization.

International Cyberwarfare and the Role of Attribution

This attack raises larger questions about international cyberwarfare and the role of attribution. While the joint report does not explicitly attribute the attack to a specific nation-state, the mention of Chinese hackers exploiting a zero-day vulnerability in the Fortinet VPN suggests possible involvement. Attribution in the world of cyberwarfare remains a complex and challenging task, often involving intelligence agencies and cybersecurity experts.

In the realm of cyberwarfare, there is an ongoing debate about the appropriate response to state-sponsored cyberattacks. Some argue for active retaliation and counterattacks, while others advocate for diplomatic efforts and international cooperation to establish norms and rules for cyberspace. Regardless of the response, it is essential for nations to invest in robust defensive capabilities, improve international coordination, and promote responsible behavior in cyberspace.

Recommendations for Enhanced Cybersecurity

In light of this breach, organizations, especially those operating in critical sectors such as aviation, should take immediate action to strengthen their cybersecurity posture. The following steps are recommended:

1. Regularly update and patch all software and systems to address known vulnerabilities promptly.
2. Implement comprehensive network monitoring and detection systems to identify and respond to any suspicious activities.
3. Maintain strong access management practices, including regularly reviewing and disabling unnecessary user accounts and promptly revoking access privileges for employees and contractors who no longer require them.
4. Clearly define and regularly reassess data storage and location to ensure proper protection and visibility.
5. Conduct regular cybersecurity training for employees to raise awareness of best practices and potential threats.
6. Foster collaboration and information-sharing within the industry to stay abreast of emerging threats and vulnerabilities.
7. Advocate for international cooperation and the establishment of norms and rules for cyberspace to curb state-sponsored cyberattacks.

Conclusion

The cyberattack on the aeronautical organization highlights the persistent threat of cyberwarfare and the importance of robust cybersecurity measures. It serves as a reminder for organizations, governments, and individuals alike to remain vigilant and proactive in securing their digital infrastructure. Enhanced software patching, network monitoring, access management, and international cooperation are essential for a safer digital future.