In the ever-evolving world of cybersecurity, hackers are constantly on the lookout for vulnerabilities to exploit and gain unauthorized access. One such vulnerability that has caught the attention of these malicious actors is found in Fortinet and Manage Engine systems. With their insidious tactics, hackers have discovered a way to infiltrate these popular software products, posing a significant threat to organizations worldwide. In this article, we delve into the details of this alarming trend and explore how businesses can protect themselves from falling victim to these stealthy cyber attacks.
Hackers exploiting the Fortinet & Manage Engine Vulnerability.
FortiOS SSL-VPN safeguards against data breaches, while ManageEngine ServiceDesk Plus offers an integrated help desk and asset management for IT resources.
Initial Access Vectors
CISA responded to the organization’s request, finding nation-state APT actors on the network from January 2023 via two initial access vectors.
Here below, we have mentioned the two initial vectors:-
- Initial Access Vector 1: CVE-2022-47966 allowed APT actors to breach the Zoho ManageEngine ServiceDesk Plus web server hosting.
- Initial Access Vector 2: To access the firewall device of the organization, CVE-2022-42475 was exploited by the APT actors.
Besides this, multiple APT actors using similar tactics were found by the CISA and partners. It’s been found that threat actors frequently scan for and exploit vulnerabilities in internet-facing devices to expand access or serve as malicious infrastructure, particularly:-
- Firewalls
- VPNs
- Edge network infrastructure
Observed IPS
Here below we have mentioned all the observed IP addresses:-
- 192.142.226[.]153
- 144.202.2[.]71
- 207.246.105[.]240
- 45.77.121[.]232
- 47.90.240[.]218
- 45.90.123[.]194
- 154.6.91[.]26
- 154.6.93[.]22
- 154.6.93[.]5
- 154.6.93[.]12
- 154.6.93[.]32
- 154.6.93[.]24
- 184.170.241[.]27
- 191.96.106[.]40
- 102.129.145[.]232
Detection Methods:
Here below, we have mentioned all the detection methods that the security analysts provide:-
- Enable logging for new user creation.
- Monitor for newly constructed scheduled tasks.
- Monitor for API calls that may create or modify Windows services.
- Monitor executed commands and arguments that may attempt to access credential material.
- Monitor for user accounts logged into systems associated with RDP.
- Monitor for newly-constructed network connections associated with pings/scans.
- Conduct full port scans (1-65535) on internet-facing systems.
In conclusion, the recent exploitation of Fortinet and ManageEngine vulnerabilities highlights the ongoing threat posed by hackers. These incidents demonstrate the importance of robust cybersecurity measures to protect organizations’ sensitive data and infrastructure. It is crucial for companies to promptly patch any vulnerabilities in their systems and regularly update their security protocols. Additionally, employee education and awareness about phishing attacks and other common hacking techniques can help prevent successful breaches. As cyber threats continue to evolve, it is imperative for businesses to stay vigilant and proactive in their defense against hackers. Take action now to secure your organization’s network and prevent potential data breaches.