Feds Warn of Active Exploitation of Zoho and Fortinet Vulnerabilities

A joint cybersecurity advisory has been issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and U.S. Cyber Command’s Cyber National Mission Force (CNMF) warning that multiple nation-state hacking groups are exploiting vulnerabilities in Zoho ManageEngine software and Fortinet firewalls to gain access to networks and steal sensitive data.

The vulnerabilities under active exploitation have patches available, which should be applied as soon as possible to prevent them from being exploited. In addition to applying patches, investigations should be conducted to determine if the flaws have already been exploited. According to the alert, multiple advanced persistent threat (APT) actors have been exploiting two unrelated critical severity vulnerabilities that allow them to remotely execute code and take control of systems. Successful exploitation of the flaws would provide a foothold that could be used to attack other parts of the network.

CVE-2022-47966 is a critical flaw in Zoho ManageEngine, which affects products such as ServiceDesk Plus and Vulnerability Manager Plus. Zoho released patches to correct the vulnerability in late 2022. Proof-of-concept exploit code was published on January 19, 2023. CVE-2022-42475 is a critical flaw that affects Fortinet FortiOS SSL VPN devices. Fortinet released patches to fix the flaw on December 12, 2022, and its security advisory confirmed that the flaw was already being exploited in the wild.

While the security alert does not name the APT groups that are exploiting the flaw, multiple cybersecurity firms have confirmed that threat actors from China, Iran, and North Korea have been exploiting the vulnerabilities for espionage purposes. CISA et al strongly advise all users of the affected products to ensure that patches are applied immediately to fix all known exploited vulnerabilities, including firewall security appliances, to monitor for unauthorized use of remote access software using endpoint detection tools, and to remove unnecessary (disabled) accounts and groups from the enterprise that are no longer needed, especially privileged accounts.

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/