American cybersecurity and intelligence agencies reported the penetration of hacker groups supported by the Iranian state into an unnamed American organization in the aviation sphere. Attackers used vulnerability in the popular products of Zoho and Fortinet to obtain access to the network and move along it.
In a joint statement published on September 7th, the agency for cybersecurity and infrastructure of the United States (CISA), Federal Bureau of Investigations (FBI), and the US cyberspace command (USCYBERCOM) did not name the specific groups behind the violation but connected them with the Iranian government.
CISA participated in the response to this incident from February to April and reported that the hackers had been present in the compromised network of an aviation organization since at least January. They infiltrated the server, accessible from the Internet, on which Zoho Manageengine Serviedesk Plus and the Fortinet inter-grid screen operated.
“The attackers exploited the vulnerability of cve-2022-47966 to gain unauthorized access to a publicly available application (Zoho Manageengine Serviedesk Plus), establishing persistence and moving across the network. This vulnerability allows remote code execution in the Manageengine application,” the statement said.
“Other hackers were also observed leveraging vulnerabilities cve-2022-42475 in Fortios SSL-VPN to establish presence on the organization’s inter-sequenary screen device.”
According to the departments, the attackers frequently scan internet-accessible devices to exploit software configurations and easily exploitable security flaws.
Once inside the target network, the hackers maintain persistence on the compromised components of the network infrastructure, which can