State-sponsored threat actors have exploited a US aeronautical organization, using known vulnerabilities in Zoho ManageEngine software and in Fortinet firewalls.

The organization has not been named, but a statement by US Cyber Command said the attack illuminated “Iranian exploitation efforts”; it also said the the organization was under attack by “multiple nation-states.”

The advanced persistent threat (APT) attackers exploited the CVE-2022-47966 remote code execution (RCE) flaw in ManageEngine to gain unauthorized access through the organization’s public-facing application, after which they established persistence and moved laterally within the network. Officials issued warnings about CVE-2022-47966 in January; any affected ManageEngine products could be vulnerable if single sign-on was, or had ever been, enabled.

Additional APT actors were also observed exploiting CVE-2022-42475 to establish presence on the organization’s Fortinet firewall device. The bug was first discovered being used as a zero-day vulnerability in January, and is defined as a heap-based buffer overflow vulnerability in FortiOS SSL-VPN, which may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

The Cyber National Mission Force urged organizations to review and implement recommended mitigation strategies, which include CISA’s cross-sector cybersecurity performance goals, and NSA’s recommended best practices for securing remotely accessible software.

The aviation incident is not the first instance of Iranian APTs targeting the interests of the US federal government. Last year, an Iranian government-sponsored group used the Log4Shell vulnerability to breach the US Federal Civilian Executive Branch systems and leave malware.