On 7 September 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint cybersecurity advisory detailing multiple instances of nation-state actors exploiting critical software vulnerabilities to target the aerospace sector. The findings were derived from an incident response engagement by CISA from February - April 2023 where analysts identified that multiple nation-state actors were observed on the victim’s network and used two separate Common Vulnerabilities and Exposures (CVEs) to gain initial access. Both vulnerabilities are rated as critical by the multiple federal vulnerability databases and show active exploitation as early as January 2023.
CVE-2022-47966 affects multiple Zoho ManageEngine on-premise products, including ServiceDesk Plus, which was cited as one of two initial access vectors in the CISA joint advisory. ServiceDesk Plus is a service management tool designed for “IT service and asset management, as well as enterprise level management to include HR, facilities, and finance.” CVE-2022-47966 is assessed as critical, with a score of 9.8 in the NIST Vulnerability Database (NVD). The ranking was assigned based on a vulnerability enabling remote code execution (RCE) by leveraging application security flaws.
The second vulnerability, CVE-2022-42475 is a heap-based buffer overflow vulnerability affecting several versions of FortiOS SSL-VPN. This vulnerability is assessed at the same criticality and can allow hackers to execute arbitrary commands. According to CISA, nation-state actors were observed exploiting this vulnerability to access the organization’s firewall device.
The CISA advisory did not provide attribution to the “multiple” advanced persistent threat actors observed exploiting these vulnerabilities. However, the two vulnerabilities are popular attack vectors for cybercriminals. The North Korean-backed Lazarus group was reported to exploit CVE-2022-47966 to deploy a remote access trojan called QuiteRat in a campaign against healthcare entities in Europe and the U.S. Additionally, a statement from the U.S. Cyber Command notes that the findings of the CISA advisory “Illuminate Iranian Exploitation Efforts.” Such efforts may include Iranian threat actors’ exploitation of PaperCut vulnerabilities in May 2023, as well as observed activity from a threat actor tracked as Mint Sandstorm, who reportedly began exploiting the vulnerability in early 2023.
ZoHo ManageEngine serves over 1,700 customers through its suite of solutions, which may include downstream/upstream suppliers and manufacturers to the commercial space industry. The potential impact from software suppliers with extensive customer pipelines is one of the many reasons that they are often targeted by malicious cyber campaigns. Threat actors looking to optimize extortion efforts may target software providers to access customer networks, increase the impact of their attacks, or gain access to high-profile organizations via their software supply chain.
Cyberattacks on software solution providers are on the rise and can often lead to extensive campaigns, compromising hundreds of organizations. Recent examples of exploited vulnerabilities in widely used software services include campaigns targeting the print management software developer PaperCut and Progress software’s MOVEit transfer, which is assessed as the largest cyber-attack of 2023.
Exploitation of public-facing applications continues to be an effective tactic for nation-state actors to exploit the commercial space sector. More specifically, the two vulnerabilities mentioned in this advisory are among the most routinely exploited vulnerabilities, comprising a large portion of entries in the CISA Known Exploited Vulnerabilities (KEV) catalog and cracking the top 15 exploited vulnerabilities in 2022. The criticality of software vulnerabilities, coupled with the widespread nature of cyberattacks emphasizes the need for organizations to invest in patch management programs, employ detection methods for network defenders, and conduct thorough vulnerability assessments throughout their software supply chain.
Read more from Space ISAC.