AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

A joint Cybersecurity Advisory examines the exploitation of two critical vulnerabilities by nation-state threat actors.

Background

On September 7, a joint Cybersecurity Advisory (CSA) AA23-250A coauthored by the Cybersecurity and Infrastructure Security Agency (CISA) and other partners was released to highlight the tactics, techniques, and procedures (TTPs) observed by nation-state advanced persistent threat (APT) actors. According to the CSA, an unnamed Aeronautical organization was breached after the APT actors exploited CVE-2022-47966 in early January 2023. The CSA notes that additional APT actors also had a presence in the organization's firewall via the exploitation of CVE-2022-42475.

Analysis

CVE-2022-47966 is a remote code execution (RCE) vulnerability affecting multiple Zoho ManageEngine on-premise products, including ServiceDesk Plus. The vulnerability is caused by the use of an outdated version of Apache Santuario, an XML security software library. According to the ManageEngine security advisory, the affected products can only be exploited if SAML-based SSO has been enabled or has been enabled in the past, depending on the product.

While patches for the affected products were released in late October and early November of 2022, the security advisory was not released until January 10, 2023. On January 19, researchers at Horizon3.ai released a technical writeup and proof-of-concept (PoC) for CVE-2022-47966.

According to the CSA, the APT actors were able to exploit this vulnerability against an unpatched and public facing server hosting Zoho ManageEngine ServiceDesk Plus. Exploitation of CVE-2022-47966 allowed the threat actors to gain root level access on the server which was then leveraged to create a local user account with administrator privileges. From there the APT actor continued to explore and move laterally through the organization’s network including attempting to exfiltrate Local Security Authority Subsystem Service (LSASS) hashes. The APT actors also utilized legitimate applications and tools like Mimikatz, nmap and Metasploit.

In April 2023, a Microsoft blog post was published detailing the TTPs of Mint Sandstorm, a moniker given to an Iranian nation-state actor previously tracked as PHOSPHORUS. In its blog post, Microsoft asserts that Mint Sandstorm began exploiting CVE-2022-47966 on January 19, the day the public PoC was released. While CSA AA23-250A does not use the naming convention from Microsoft or mention the Microsoft blog post, there do appear to be similarities in the TTPs used, so it's possible this may be the same group or both groups have some affiliation with each other. Additionally, the CSA does link to a previously released CSA, AA22-320A: Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester.

CVE-2022-42475 is a heap-based buffer overflow in several versions of Fortinet’s FortiOS that could be exploited by a remote, unauthenticated attacker using a specially crafted request to gain code execution. The vulnerability was originally disclosed by Olympe Cyberdefense on December 9, 2022. On December 12, Fortinet released a security advisory which noted that the vulnerability has been observed under exploitation. In January 2023, Fortinet released a blog post with additional details about the exploitation of the vulnerability, including indicators of compromise.

According to the CSA, the second set of unattributed threat actors used legitimate credentials to move from the compromised firewall to a web server where several webshells were placed. Internet facing devices like firewalls and SSL VPNs are favored targets for APTs and ransomware groups because they offer an ideal doorway into an organization's network.

Attempted Exploitation of Log4Shell (CVE-2021-44228)

According to the CSA, the threat actors attempted to exploit CVE-2021-44228 (Log4Shell) on the ServiceDesk Plus web server but were unsuccessful. The infamous RCE in Log4j 2 was disclosed in December 2021 and continues to haunt organizations who have yet to successfully remediate affected devices. While the threat actors were unsuccessful in this case, as of October 1, 2022, 72% of organizations remained vulnerable to Log4Shell.

On August 3, CISA and multiple U.S. and international agencies released CSA AA23-215A detailing the top routinely exploited vulnerabilities of 2022. This list of 42 Common Vulnerabilities and Exposures (CVEs) included CVE-2021-44228 and highlighted that threat actors and APTs continue to target known and exploitable vulnerabilities. As we’ve explored in our 2022 Threat Landscape Report (TLR), known and exploitable vulnerabilities remain one of the most persistent threats to organizations.

In its blog post on Mint Sandstorm, Microsoft noted the APT actor has been observed utilizing older vulnerabilities, especially favoring the use of Log4Shell. This serves as an example that these APT actors are opportunistic in nature and continue to successfully exploit known vulnerabilities with readily available PoCs.

Solution

The CSA offers several mitigation recommendations for organizations to implement. At the top of this list is to patch any systems that remain vulnerable to Zoho ManageEngine CVE-2022-47966 or CVE-2022-42475 in Fortinet FortiOS SSL VPNs. The recommendations fall into five categories:

• Manage vulnerabilities and configurations
• Segment networks
• Manage accounts, permissions, and workstations
• Secure remote access software
• Other best practice mitigation recommendations.

We recommend reviewing these in detail and implementing the mitigation strategies applicable to your network.

In addition to these mitigation suggestions, a summary of immediate actions to be taken is highlighted at the top of the CSA:

• Patch all systems for known exploited vulnerabilities (KEVs), including firewall security appliances.
• Monitor for unauthorized use of remote access software using endpoint detection tools.
• Remove unnecessary (disabled) accounts and groups from the enterprise that are no longer needed, especially privileged accounts.

Identifying affected systems

Tenable offers several solutions to help identify potential exposures and attack paths as well as identifying systems vulnerable to the CVEs mentioned in the CSA. For a holistic approach, we recommend Tenable One. The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.

Tenable Plugin Coverage

A list of Tenable plugins to identify systems impacted by CVE-2022-47966 can be found here. In addition, Tenable has released multiple plugins to identify Log4Shell (CVE-2021-44228). These links use a search filter to ensure that all matching plugin coverage will appear for the listed CVEs. To identify systems impacted by CVE-2022-42475, please refer to this page.

Detection of tools mentioned in the CSA

Tenable Attach Path Techniques

Tenable Identity Exposure (formerly Tenable.ad) Indicators of Exposure and Indicators of Attack

Get more information

• AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
• Zoho ManageEngine Security Advisory for CVE-2022-47966
• Horizon3.ai technical analysis of CVE-2022-47966
• Horizon3.ai PoC for CVE-2022-47966
• Microsoft’s blog post on the nation-state APT Mint Sandstorm
• Olympe Cyberdefense blog post on CVE-2022-42475
• Fortinet Security Advisory for CVE-2022-42475: FG-IR-22-398
• Fortinet Blog: Analysis of FG-IR-22-398 – FortiOS - heap-based buffer overflow in SSLVPNd
• Tenable blog: CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNs

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.