Multiple nation-state hackers infiltrate single aviation organization
Nation-state hackers from numerous unnamed countries have infiltrated an aviation organization using vulnerabilities on internet-facing services, according to an alert on Thursday from U.S. security agencies.
The Cybersecurity and Infrastructure Security Agency, the FBI and Cyber Command’s Cyber National Mission Force all warned that malicious hackers are continuing to use vulnerabilities in Zoho and Fortinet services to gain access to networks inside the anonymous aviation sector organization.
Starting from at least Jan. 18, 2023, the hackers were on the victim’s network through at least two access points: Zoho software often used in IT assistance and a Fortinet virtual private network service. CISA’s incident response team was engaged from February to April at the request of the victim.
The alert is one of many from the agencies as multiple organizations are being impacted by edge-devices that continue to have known and often unpatched vulnerabilities. While it’s not clear which nation-state groups targeted the aviation organization, attacks against the sector and critical infrastructure organizations more broadly have spurred the Transportation Security Agency to issue cybersecurity mandates for the sector.
“Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors. When targeted, they can be leveraged to expand targeted network access, serve as malicious infrastructure, or a mixture of both,” the alert read.
While the alert used the language “Aeronautical Sector organization,” a CISA official said that the organization is “involved in the broader aviation sector.”
The first batch of state-backed hackers used the vulnerability in Zoho ManageEngine ServiceDesk Plus, commonly found in IT management suites, from a known malicious IP address. The hackers gained root level access, created a user account with administrative privilege and used the popular exploit software Mimikatz to dump more credentials.
(The hackers also attempted to use the now infamous Log4Shell vulnerability on Zoho’s ServiceDesk product but were unsuccessful.)
However, CISA’s IR team was also unable to find out how much information was extracted or altered largely due to the lax organization by the victim. “This was due to the organization not clearly defining where their data was centrally located and CISA having limited network sensor coverage,” the alert read.
Additionally, the organization did not have “proper network segmentation,” which could have mitigated any lateral movements within their networks, the alert noted.
The Zoho exploitation was added to the list of known vulnerabilities just days after the exploitation on the aviation organization and a month before CISA’s IR team was involved.
The second set of hackers of used legitimate but disabled credentials to gain access to the FortiOS SSL-VPN service from a contractor employed at the company. After the hackers made it onto the network they deleted logs from several servers, limiting the incident response team from learning more about the activity, the alert notes.
While the Fortinet bug did not make it onto CISA’s list of top exploited vulnerabilities of 2022, it did make honorable mention in the “additional routinely exploited vulnerabilities” list.
The FortiOS vulnerability was on CISA’s KEV list in early December 2022. That bug was used to access one of the victim’s firewall device in early February 2023, according to the alert.