securityaffairs.com
Open in
urlscan Pro
2606:4700:3031::6815:90b
Public Scan
URL:
https://securityaffairs.com/150508/hacking/fortinet-fortios-zoho-attacks.html
Submission: On September 08 via api from TR — Scanned from DE
Submission: On September 08 via api from TR — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://securityaffairs.com
<form method="get" action="https://securityaffairs.com">
<input type="search" name="s" placeholder="Search.." class="site-search-field" value="">
<input type="submit" class="sm-icon">
</form><form class="comment">
<div class="row">
<div class="col-sm-12 col-md-6 col-lg-6">
<div class="mb-3">
<input type="name" name="cmnt_auth_name" class="form-control cmnt_auth_name" placeholder="Name">
</div>
</div>
<div class="col-sm-12 col-md-6 col-lg-6">
<div class="mb-3">
<input type="email" name="cmnt_auth_email" class="form-control cmnt_auth_email" placeholder="Email">
</div>
</div>
<div class="col-sm-12 col-md-12 col-lg-12">
<div class="mb-3">
<textarea name="cmnt_msg" class="form-control cmnt_msg" placeholder="Comments" rows="3"></textarea>
</div>
</div>
<div class="col-sm-12 col-md-12 col-lg-12">
<input class="cmnt_submit_btn btn btn-blue btn-inline btn-big" type="submit" name="cmnt_submit" value="Leave comment">
<input type="hidden" name="pid" class="pid" value="MTUwNTA4">
<input type="hidden" name="parentcommentid" class="parentcommentid" value="0">
</div>
</div>
</form>POST /150508/hacking/fortinet-fortios-zoho-attacks.html#wpcf7-f149934-p150508-o1
<form action="/150508/hacking/fortinet-fortios-zoho-attacks.html#wpcf7-f149934-p150508-o1" method="post" class="wpcf7-form init" aria-label="Contact form" novalidate="novalidate" data-status="init">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="149934">
<input type="hidden" name="_wpcf7_version" value="5.8">
<input type="hidden" name="_wpcf7_locale" value="en_US">
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f149934-p150508-o1">
<input type="hidden" name="_wpcf7_container_post" value="150508">
<input type="hidden" name="_wpcf7_posted_data_hash" value="">
</div>
<div class="form-field"><span class="wpcf7-form-control-wrap" data-name="your-email"><input size="40" class="wpcf7-form-control wpcf7-email wpcf7-validates-as-required wpcf7-text wpcf7-validates-as-email" autocomplete="email" aria-required="true"
aria-invalid="false" placeholder="Your email address" value="" type="email" name="your-email"></span><input class="wpcf7-form-control wpcf7-submit has-spinner" type="submit" value="SIGN UP"><span class="wpcf7-spinner"></span></div>
<div class="wpcf7-response-output" aria-hidden="true"></div>
</form>Text Content
WE VALUE YOUR PRIVACY We and our partners store and/or access information on a device, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for personalised ads and content, ad and content measurement, and audience insights, as well as to develop and improve products. With your permission we and our partners may use precise geolocation data and identification through device scanning. You may click to consent to our and our partners’ processing as described above. Alternatively you may access more detailed information and change your preferences before consenting or to refuse consenting. Please note that some processing of your personal data may not require your consent, but you have a right to object to such processing. Your preferences will apply to this website only. You can change your preferences at any time by returning to this site or visit our privacy policy. MORE OPTIONSAGREE * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * POLICIES * Contact me MUST READ Zero-days fixed by Apple were used to deliver NSO Group’s Pegasus spyware | Apple discloses 2 new actively exploited zero-day flaws in iPhones, Macs | A malvertising campaign is delivering a new version of the macOS Atomic Stealer | Two flaws in Apache SuperSet allow to remotely hack servers | Chinese cyberspies obtained Microsoft signing key from Windows crash dump due to a mistake | Google addressed an actively exploited zero-day in Android | A zero-day in Atlas VPN Linux Client leaks users' IP address | MITRE and CISA release Caldera for OT attack emulation | ASUS routers are affected by three critical remote code execution flaws | Hackers stole $41M worth of crypto assets from crypto gambling firm Stake | Freecycle data breach impacted 7 Million users | Meta disrupted two influence campaigns from China and Russia | A massive DDoS attack took down the site of the German financial agency BaFin | "Smishing Triad" Targeted USPS and US Citizens for Data Theft | University of Sydney suffered a security breach caused by a third-party service provider | Cybercrime will cost Germany $224 billion in 2023 | PoC exploit code released for CVE-2023-34039 bug in VMware Aria Operations for Networks | Security Affairs newsletter Round 435 by Pierluigi Paganini – International edition | LockBit ransomware gang hit the Commission des services electriques de Montréal (CSEM) | UNRAVELING EternalBlue: inside the WannaCry’s enabler | Researchers released a free decryptor for the Key Group ransomware | Fashion retailer Forever 21 data breach impacted +500,000 individuals | Russia-linked hackers target Ukrainian military with Infamous Chisel Android malware | Akira Ransomware gang targets Cisco ASA without Multi-Factor Authentication | Paramount Global disclosed a data breach | National Safety Council data leak: Credentials of NASA, Tesla, DoJ, Verizon, and 2K others leaked by workplace safety organization | Abusing Windows Container Isolation Framework to avoid detection by security products | Critical RCE flaw impacts VMware Aria Operations Networks | UNC4841 threat actors hacked US government email servers exploiting Barracuda ESG flaw | Hackers infiltrated Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) for months | FIN8-linked actor targets Citrix NetScaler systems | Japan's JPCERT warns of new 'MalDoc in PDF' attack technique | Attackers can discover IP address by sending a link over the Skype mobile app | Cisco fixes 3 high-severity DoS flaws in NX-OS and FXOS software | Cloud and hosting provider Leaseweb took down critical systems after a cyber attack | Crypto investor data exposed by a SIM swapping attack against a Kroll employee | China-linked Flax Typhoon APT targets Taiwan | Researchers released PoC exploit for Ivanti Sentry flaw CVE-2023-38035 | * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * POLICIES * Contact me Ad * Home * Breaking News * Hacking * Nation-state actors exploit Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus, CISA warns NATION-STATE ACTORS EXPLOIT FORTINET FORTIOS SSL-VPN AND ZOHO MANAGEENGINE SERVICEDESK PLUS, CISA WARNS Pierluigi Paganini September 08, 2023 U.S. CISA WARNED THAT NATION-STATE ACTORS ARE EXPLOITING FLAWS IN FORTINET FORTIOS SSL-VPN AND ZOHO MANAGEENGINE SERVICEDESK PLUS. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that nation-state actors are exploiting security vulnerabilities in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus. The US agency has detected the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. Ad The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023. The state-sponsored hackers exploited the CVE-2022-47966 RCE vulnerability in Zoho ManageEngine. The CVE-2022-47966 flaw is an unauthenticated remote code execution vulnerability that impacts multiple Zoho products with SAML SSO enabled in the ManageEngine setup. The issue also impacts products that had the feature enabled in the past. The vulnerability was addressed by the company on October 27th, 2022. The root cause of the problem is that ManageEngine products use an outdated third-party dependency, Apache Santuario. “This vulnerability allows an unauthenticated adversary to execute arbitrary code when the above SAML SSO criteria is met.” reads the advisory. In January, Horizon3 researchers released last week a proof-of-concept (PoC) exploit for the CVE-2022-47966 along with technical analysis. The experts developed the PoC exploit by examining the differences between ServiceDesk Plus version 14003 and version 14004. “The vulnerability allows an attacker to gain remote code execution by issuing a HTTP POST request containing a malicious SAML response. This vulnerability is a result of using an outdated version of Apache Santuario for XML signature validation.” reads the analysis. “One of the critical pieces is understanding that the information flow uses the client’s browser to relay all information between the Service Provider (SP) and the Identity Provider (IDP). In this attack, we send a request containing malicious SAML XML directly to the service provider’s Assertion Consumer (ACS) URL.” The researchers tested their PoC exploit against Endpoint Central, however, they believe it can work on many of the ManageEngine products that share some of their codebase with ServiceDesk Plus or EndpointCentral. “The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) identified the presence of indicators of compromise (IOCs) at an Aeronautical Sector organization as early as January 2023.” reads the alert published by the US CISA. “Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application.” The US CISA also reported that multiple APT groups were observed exploiting CVE-2022-42475 to establish a presence on the organization’s firewall device. In December, Fortinet urged its customers to update their installs to address an actively exploited FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475, that could be exploited by an unauthenticated, remote attacker to execute arbitrary code on devices. The CVE-2022-42475 flaw is a heap-based buffer overflow weakness that resides in FortiOS sslvpnd that allowed unauthenticated attackers to crash targeted devices remotely or gain remote code execution. “A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.” reads the advisory published by the security vendor. “Fortinet is aware of an instance where this vulnerability was exploited in the wild,” In the attack detailed in the CISA alert, as early as January 2023, APT actors exploited the vulnerability CVE-2022-47966 for initial access to the target organization. The attackers gained access to a web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. Threat actors achieved root level access on the web server and created a local user account named ‘Azure’ with administrative privileges. Then the nation-state actors downloaded malware, enumerated the network, collected administrative user credentials, and performed lateral movement. It is unclear if the attackers gained access to proprietary information or altered it. “Additional APT actors exploited CVE-2022-42475 on the organization’s firewall device, which was indicated by multiple successful VPN connections from known-malicious IPs between February 1-16, 2023. It was identified that APT actors compromised and used disabled, legitimate administrative account credentials [T1078.003] from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.” continues the alert. “Analysis identified that a common behavior for these threat actors was to use disabled administrative account credentials and delete logs from several critical servers in the environment [T1070.001]. This prevented the ability to detect follow-on exploitation or data exfiltration. CISA and co-sealers were also unable to further track the activity due to the organization not having Network Address Translation (NAT) IP logging enabled.” The attackers have initiated multiple Transport Layer Security (TLS)-encrypted sessions to multiple IP addresses, indicating successful exchanges of data transfer from the firewall device. Nation-state actors disabled administrative account credentials to delete logs from several critical servers in the targeted network. The attackers used a Meterpreter as an interactive shell that allowed them remotely control the system. Between early-February and mid-March 2023, the government experts observed the presence of anydesk.exe on three hosts. The attackers compromised one host and moved laterally to install the executable on the remaining two. The actors used the legitimate ConnectWise ScreenConnect client to download and utilize the credential dumping tool Mimikats. The attackers also failed in attempting to to exploit the CVE-2021-44228 Apache Log4j vulnerability in the ServiceDesk system. “Advance persistent threat actors often scan internet-facing devices for vulnerabilities that can be easily be exploited and will continue to do so.” concludes the alert published by US Cyber Command. “CNMF and our interagency partners urge organizations to review this CSA and implement the recommended mitigation strategies, which include CISA’s cross-sector cybersecurity performance goals and NSA’s recommended best practices for securing remotely accessible software.” Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, Fortinet FortiOS SSL-VPN) -------------------------------------------------------------------------------- facebook linkedin twitter -------------------------------------------------------------------------------- Fortinet FortiOS SSL-VPN Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News YOU MIGHT ALSO LIKE Pierluigi Paganini September 08, 2023 ZERO-DAYS FIXED BY APPLE WERE USED TO DELIVER NSO GROUP’S PEGASUS SPYWARE Read more Pierluigi Paganini September 07, 2023 APPLE DISCLOSES 2 NEW ACTIVELY EXPLOITED ZERO-DAY FLAWS IN IPHONES, MACS Read more LEAVE A COMMENT NEWSLETTER SUBSCRIBE TO MY EMAIL LIST AND STAY UP-TO-DATE! RECENT ARTICLES ZERO-DAYS FIXED BY APPLE WERE USED TO DELIVER NSO GROUP’S PEGASUS SPYWARE Security / September 08, 2023 APPLE DISCLOSES 2 NEW ACTIVELY EXPLOITED ZERO-DAY FLAWS IN IPHONES, MACS Hacking / September 07, 2023 A MALVERTISING CAMPAIGN IS DELIVERING A NEW VERSION OF THE MACOS ATOMIC STEALER Malware / September 07, 2023 TWO FLAWS IN APACHE SUPERSET ALLOW TO REMOTELY HACK SERVERS Hacking / September 07, 2023 CHINESE CYBERSPIES OBTAINED MICROSOFT SIGNING KEY FROM WINDOWS CRASH DUMP DUE TO A MISTAKE Hacking / September 07, 2023 To contact me write an email to: Pierluigi Paganini : pierluigi.paganini@securityaffairs.co LEARN MORE QUICK LINKS * Home * Cyber Crime * Cyber warfare * APT * Data Breach * Deep Web * Digital ID * Hacking * Hacktivism * Intelligence * Internet of Things * Laws and regulations * Malware * Mobile * Reports * Security * Social Networks * Terrorism * ICS-SCADA * POLICIES * Contact me Copyright@securityaffairs 2023 We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Cookie SettingsAccept All Manage consent Close PRIVACY OVERVIEW This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities... Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Non-necessary Non-necessary Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. SAVE & ACCEPT Go to mobile version