Multiple Nation-State Threat Actors Exploit ManageEngine (CVE-2022-47966) and FortiOS (CVE-2022-42475) - 20230908001

Overview

CISA have released an advisory detailing IOCs for advanced persistent threat (APT) activity involving the exploitation of Zoho ManageEngine ServiceDesk Plus to gain unauthorized access, establish persistence, and move laterally through the network. Additional APT actors were also observed exploiting FortiOS to establish presence on the organization’s firewall device.

What is the vulnerability?

• Zoho ManageEngine Multiple Products Remote Code Execution Vulnerability CVE-2022-47966 - CVSS v3 Base Score: 9.8
• Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability CVE-2022-42475- CVSS v3 Base Score: 9.8

What has been observed?

CISA added this advisory to their Cybersecurity Alerts & Advisories catalog on September 07, 2023. There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions to all affected devices within expected timeframe of 48 hours... (refer Patch Management):

1. Patch all systems for known exploited vulnerabilities (KEVs), including firewall security appliances.
   • Zoho ManageEngine
   • FortiGuard
2. Monitor for unauthorized use of remote access software using endpoint detection tools.
3. Remove unnecessary (disabled) accounts and groups from the enterprise that are no longer needed, especially privileged accounts.