A Joint Advisory warns of hostile activity by unnamed nation-states.
"Multiple nation-state actors" target the aerospace sector.
Several nation-state actors exploited two vulnerabilities to attack an organization in the aeronautical sector, according to a joint advisory released yesterday by the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and US Cyber Command’s Cyber National Mission Force (CNMF). The threat actors gained access via CVE-2022-47966 in Zoho ManageEngine ServiceDesk Plus and CVE-2022-42475 in FortiOS SSL-VPN. The joint advisory includes an extensive description of the threat activity, advice on detection, and recommendations for mitigating risk. Patches for both exploits have been available since early this year.
The advisory notes, “CISA and co-sealers identified an array of threat actor activity, to include overlapping TTPs across multiple APT actors. Per the activity conducted, APT actors often scan internet-facing devices for vulnerabilities that can be easily exploited. Firewall, virtual private networks (VPNs), and other edge network infrastructure continue to be of interest to malicious cyber actors.” None of the agencies involved in the joint advisory have identified the threat actors involved in exploiting the two vulnerabilities. It's not clear whether the multiple APT actors represent different states or simply different agencies of the same state.
Iran and North Korea exploited the Zoho vulnerability earlier this year.
Thus there's no attribution associated with the joint advisory. But circumstantially, and betting on form, the nation-states likeliest to be involved would seem to be Iran and North Korea. Both Tehran and Pyongyang are known to have exploited the Zoho ManageEngine ServiceDesk vulnerability earlier this year. The DPRK's Lazarus Group used it in attacks against infrastructure providers and healthcare organizations early in 2023, Cisco's Talos researchers reported last month. BleepingComputer at week's end called out Iran as a likely suspect. Back in April Microsoft Security researchers found Iran's Mint Sandstorm, which they formerly tracked as PHOSPHORUS (and which overlaps other groups tracked as APT35, APT42, Charming Kitten, and TA453) exploiting the vulnerability.