AdvisoriesCISAAA23-250ASeptember 7, 2023
September 7, 2023
The Cybersecurity and Infrastructure Security Agency (CISA) conducted an incident response investigation from February to April 2023. The findings indicate that starting in January 2023, multiple nation-state Advanced Persistent Threat (APT) actors gained access to the organization's network through two distinct initial access points. The first access vector involved the exploitation of CVE-2022-47966 to breach the organization's web server hosting the public-facing application, Zoho ManageEngine ServiceDesk Plus. The second access vector utilized CVE-2022-42475 to compromise the organization's firewall device. CISA and collaborating entities detected a range of threat actor activities, revealing common Tactics, Techniques, and Procedures (TTPs) shared among these APT actors. Their primary focus remains on identifying vulnerabilities in internet-facing devices, particularly firewalls, virtual private networks (VPNs), and other edge network infrastructure, which they exploit to expand network access or establish malicious infrastructure.
Local user accounts should be closely monitored. Each CVE in this advisory leverages user accounts - post-compromise - to springboard into other techniques. In CVE-2023-42475, a disabled user is resurrected and in CVE-2022-47966, a new local user is created. Endpoint defenses should be on the lookout for any suspicious creation or re-enabling of local user accounts. Preventing these actions will block any subsequent malicious activities before they get too far.
Be immediately notified of new advisories and associated security tests
AdvisoryCISAAA24-207AJuly 25, 2024
