What Happened
On September 7, CISA, the FBI, and the U.S. Cyber Command’s Cyber National Mission Force have released a joint Cybersecurity Advisory (CSA) warning of malicious activity from multiple nation-state threat actors exploiting CVE-2022-47966 and CVE-2022-42475.
These vulnerabilities were used to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus) and establish persistence, as well as to establish presence on an organization’s firewall device. A specific incident at an aeronautical sector organization was cited, with malicious activity occurring as early as January 2023.
Impact to Organizations
Organizations using Zoho ManageEngine ServiceDesk Plus and/or that have a firewall device may be vulnerable to unauthorized access and malicious activity from the nation-state threat actors exploiting these vulnerabilities.
What Organizations Should Do
CISA, the FBI, and the Cyber National Mission Force recommend that organizations take the following actions:
- Patch all systems for known exploited vulnerabilities (KEVs), including firewall security appliances.
- Monitor for unauthorized use of remote access software using endpoint detection tools.
- Remove unnecessary (disabled) accounts and groups from the enterprise that are no longer needed, especially privileged accounts.
Organizations should also review the joint Cybersecurity Advisory and implement the recommended mitigations, which align with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and NSA-recommended best practices for securing infrastructure.
All organizations should report suspicious or criminal activity related to this advisory by contacting their local FBI field office and CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.
- CISA Exploited Vulnerabilities Catalog Lists Fortinet and Ivanti Flaws
- [CVSS 10] Sep 23 ICS Patches by Siemens and Schneider Electric
- LockBit Ransomware Exposes Gigabytes of Boeing Data
- Merck’s $1.4B NotPetya Insurance Claim Settlement
- ICBC Allegedly Pays Ransom to Lockbit After Major Cyberattack
- [CVSS 10] Surging Exploit Attempts Target Critical Confluence Vulnerability