Multiple nation-state hackers target undisclosed U.S. aerospace company.
Multiple nation-state hackers reportedly exploited two vulnerabilities to target an undisclosed aerospace company in the United States this year. The Cybersecurity and Infrastructure Security Agency (CISA) advisory detected signs of a security breach within the affected organization as early as January. In response, the FBI and U.S. Cyber Command also issued alerts.
Hackers used one of the identified vulnerabilities, CVE-2022-47966, as their entry point to compromise the organization’s web server, which hosted the Zoho ManageEngine ServiceDesk Plus application. This software serves various purposes, including IT service management, incident handling, service quality improvement, and task automation. This vulnerability in Zoho ManageEngine products allowed hackers to remotely execute malicious code.
In the incident observed by CISA, attackers exploited this flaw to gain complete control of the organization’s web server, creating a user account with administrative privileges in the process. Subsequently, they downloaded malware, collected user credentials, and navigated through the organization’s network. It remains unclear whether they accessed, tampered with, or exfiltrated sensitive data.
The advisory highlighted, “The organization’s failure to clearly define the central location of their data, coupled with CISA’s limited network coverage, contributed to this situation.”
Another vulnerability that nation-state hackers used to target the aerospace organization was CVE-2022-42475, affecting Fortinet devices. This vulnerability came to light in late 2022 during an investigation into a compromised firewall. It enabled attackers to establish a presence on the organization’s firewall device.
To exploit this bug, the hackers employed the login credentials of an administrative account from a contractor who was no longer affiliated with the organization. The organization had already deactivated this user account before the suspicious activity occurred.
CISA’s analysis revealed that in this campaign, hackers frequently used deactivated administrative accounts and deleted logs from critical servers, making it challenging to detect subsequent attacks or data breaches.
CISA advises organizations to promptly report any suspicious or criminal activity related to the exploitation of these vulnerabilities.
