CISA and FBI Warn of ‘Multiple Nation-State APT Attackers’ Targeting US Aviation Industry
Three US government agencies have warned of the activities of multiple threat groups targeting organizations in the aviation industry.
The Cybersecurity and Infrastructure Security Agency, FBI, and Cyber National Mission Force have identified a number of state-sponsored threat actors interfering with organizations since at least January 2023 (unnamed so far). not disclosed).
CISA and other agencies began investigating the incident when the organization reached out to them for assistance. From February to April 2023, CISA discovered the presence of multiple threat actors operating within targeted networks.
The hacking group gained access to the network through two known vulnerabilities.
The first is CVE-2022-47966, which allows groups to access targeted web servers via Zoho ManageEngine ServiceDesk Plus. After gaining access to the network, the hacker gained root-level access and was able to create a new account with administrative privileges. From there, they scouted the network, collected more administrative credentials, and were able to make further lateral movement and download malware.
However, CISA was unable to determine whether anything sensitive was accessed or exposed.
“This was due to the organization’s failure to clearly define where data was centrally located and the limited range of CISA’s network sensors,” CISA said in the report. . recommendation.
The second access route was via CVE-2022-42475, which allowed the attacker to access the target’s hardware firewall. The attackers were able to gain access using a legitimate account from a previous contractor and subsequently obfuscated their activities by deleting logs from a number of critical servers. Because the targeted organization did not keep logs of her NAT activity, CISA was unable to further trace the potential data breach.
However, CISA confirmed that the attacker was able to create multiple encrypted sessions using different external IP addresses and create multiple web shells on the target network.
The final activity that CISA was able to track was the attacker uploading a number of PHP files to the organization’s ServiceDesk system before performing a DNS scan of additional servers.
CISA concluded that “post-attack analysis was extended, but analysts were unable to identify additional actions taken by the APT attackers,” adding that “possibly due to lack of sensor coverage and unavailability of data.” This may be the cause,” he concluded.
We feel that CISA is not at all satisfied with the target organization.
david hollingworth
David Hollingworth has been writing about technology for over 20 years and has worked on a variety of print and online titles during his career. He enjoys understanding cyber he security and can talk specifically about Lego.