A number of cybersecurity and other agencies have identified indicators of compromise at an Aeronautical Sector organization in January 2023. These organisations include the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, and the Cyber National Mission Force. It was found that advanced persistent threat (APT) actors exploited the CVE-2022-47966 vulnerability to obtain unauthorised access to Zoho ManageEngine ServiceDesk Plus, an application. Thereafter, these actors established persistence and moved through the network.
The CVE-2022-47966 vulnerability enables remote code execution on the ManageEngine application. Further, other threat actors were found to have exploited the CVE-2022-42475 vulnerability to establish their presence on the organisation’s firewall device. The incident response engagement was conducted by CISA at the insistence of the impacted organisation from February to April 2023.
In addition to overlapping TTPs across several APT actors, CISA and co-sealers discovered a wide range of threat actor behavior. According to the activity, APT attackers frequently search internet-facing devices for vulnerabilities that are simple to exploit. Cybercriminals continue to be interested in firewalls, virtual private networks (VPNs), and other edge network equipment. When targeted, they can be used as malicious infrastructure, to increase targeted network access, or a combination of the two. This is more the reason for businesses to shore up their cybersecurity defences. For instance, they may hire the services of a PCI DSS QSA service provider such as Cybernetic Global Intelligence.
According to analysis, these threat actors often deleted logs from multiple servers in the environment using disabled administrative account credentials. This made it impossible to identify additional exploitation or data exfiltration. Due to the organisation’s lack of enabled Network Address Translation (NAT) IP logging, CISA and co-sealers were also unable to follow the activities in further detail.
Multiple Transport Layer Security (TLS)-encrypted sessions were started by APT actors on Transmission Control Protocol (TCP) port 10443, suggesting that the firewall device successfully exchanged data. Despite extending the post-engagement investigation, analysts were unable to identify additional activities made by the APT actors, most likely because of poor sensor coverage and data scarcity.
According to Ravin Prasad, CEO of Cybernetic Global Intelligence, a globally recognised cybersecurity assistance firm, since CVE vulnerabilities provide access to numerous mobile devices, they are targeted by APT actors. To prevent such an eventuality, businesses need to allow PCI DSS compliance auditors (PCI DSS QSA) to analyse the cybersecurity network for remedial measures.
How to Mitigate Such Threat Actors
CISA and other security agencies discovered that the application, Zoho ManageEngine ServiceDesk Plus, was initially accessible through the CVE-2022-47966 vulnerability. Several Zoho ManageEngine on-premises solutions, including ServiceDesk Plus through 14003, support Apache XML Security for Java version 1.4.1, which permits remote code execution. This software is part of the Apache Santuario project. The programme is in charge of some security precautions because that version’s XSLT features for xmlsec were included by design. The following is what CISA and co-signers advise:
Document device configurations: In order to support more efficient vulnerability and response actions, businesses should keep updated documentation outlining the current configuration specifics of all important IT assets (and OT, where relevant).
Keep updated software: Investigate before patching any endpoint devices where known exploited vulnerabilities exist (such as firewall security appliances). Better, let PCI DSS compliance auditors (PCI DSS QSA) from cybersecurity companies such as Cybernetic Global Intelligence study risks and suggest measures to mitigate them.
Routine patch cycles to be followed: To lessen the risk of exploitation for all operating systems, programmes, and software (including any third-party software).
Prioritise remediation of vulnerabilities: In order to assist enterprises in reducing their vulnerability to risks by reducing attack vectors, CISA provides a variety of services, including testing and scanning, at no cost.
Deploy security text files: Security.txt files should be deployed. Every web domain with a public interface has a security.txt file that follows the guidelines in RFC 9116.
The other remedial measures include the following:
Use of phishing-resistant multi-factor authentication for remote access.
Implement a strong password in addition to enforcing other attribute-based information.
Decrease the abilities of threat actors by implementing the principle of least privilege.
Restrict the local administrator’s ability to login.
Remove disabled accounts that are not necessary.
Local administration is to be limited and controlled.
Block workstation-to-workstation RDP connections.
Secure remote access software like AnyDesk to prevent APT actors.
CISA and co-sealers advise testing and validating your organisation’s security programme against the threat behaviours in addition to implementing mitigations. Testing your current security controls inventory to see how they fare against the ATT&CK methods provided in this advice is also advised by CISA and co-sealers.
Your company should regularly monitor and analyse the cyber threat scenario in order to prevent APT actors from exploiting CVE vulnerabilities. You might hire the services of a PCI DSS QSA service provider from the internationally recognised cybersecurity company Cybernetic Global Intelligence. Call 1300 292 376 or send an email to firstname.lastname@example.org to get in touch with Cybernetic Global Intelligence.