iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Three US government agencies have warned of the activities of multiple threat groups targeting an organisation in the aeronautical industry.
The Cybersecurity and Infrastructure Security Agency, FBI, and Cyber National Mission Force have identified the presence of a number of nation-state-backed threat actors interfering with the organisation – so far unnamed – since at least January 2023.
CISA and the other agencies began investigating the incident when the organisation came to them for assistance. Between February and April 2023, CISA found the presence of multiple threat actors operating inside the target’s network.
The hacking groups accessed the network via two known vulnerabilities.
The first was CVE-2022-47966, which allowed the groups to access the target’s web server via Zoho ManageEngine ServiceDesk Plus. After gaining access to the network, the hackers were able to achieve root-level access and create a new account with admin privileges. From there, they scouted out the network, collected more admin credentials, and succeeded in further lateral movement as well as downloading malware.
However, CISA could not determine if anything sensitive had been accessed or exfiltrated.
“This was due to the organisation not clearly defining where their data was centrally located and CISA having limited network sensor coverage,” CISA said in its advisory.
The second route of access was via CVE-2022-42475, which gave the attackers access to the target’s hardware firewall. The threat actors were able to use a legitimate account from a previous contractor to gain access, and then obfuscated their activity by deleting logs from a number of critical servers. As the target organisation was not keeping logs of NAT activity, CISA was unable to further track any possible data exfiltration.
However, CISA did confirm the threat actors created multiple encrypted sessions with a range of external IP addresses and were able to create multiple web shells on the target network.
The last activity that CISA was able to track was the actors uploading a number of PHP files to the organisation’s ServiceDesk system before executing DNS scans of an additional server.
“Post-engagement analysis was extended, but analysts were unable to determine additional actions taken by the APT actors,” CISA concluded, “likely due to a lack of sensor coverage and data unavailability”.
We get the feeling CISA is not at all happy with the target organisation.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
