Iranian state-sponsored advanced persistent threat (APT) actors have been targeting and exploiting Microsoft Exchange and Fortinet vulnerabilities.
According to a joint cybersecurity alert by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC), the APT attacks have been linked to the government of Iran.
An excerpt from the advisory:
“FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.”
CISA
The government cybersecurity experts warned that the APT actors have been exploiting known Fortinet and Exchange vulnerabilities across a broad set of organizations and multiple sectors since March, 2021.
FortiOS vulnerabilities
In April 2021, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert after observing APT actors in March exploiting FortiOS vulnerabilities CVE-2018-13379, CVE-2019-5591 and CVE-2020-12812.
“It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks,” the FBI warned in the advisory.
In May 2021, the same Iranian government-sponsored APT actors exploited a Fortigate appliance to gain unauthorized access to a U.S. municipal government webserver. The actors abused the same three FortiOS vulnerabilities experts warned about in the previous month.
In June 2021, CISA warned these actors exploited another vulnerable Fortigate appliance to gain access to a U.S.-based children’s hospital environmental control network.
ProxyShell vulnerabilities
In June 2021, Cyberattackers were scanning and exploiting ProxyShell vulnerabilities on unpatched Microsoft Exchange servers. One of those (CVE-2021-34473) could result in remote code execution. Microsoft had previously patched the ProxyShell vulnerabilities in May 2021.
Finally, in October 2021, an APT group dubbed ChamelGang was found targeting Russian Energy and Aviation industries, as well as organizations in 9 other countries. The actors appeared to be focused on stealing data from compromised networks and launching “trusted relationship” attacks starting in March 2021.
In the report, ACSC also noted the APT group has also exploited this same Microsoft Exchange vulnerability (CVE-2021-34473) in Australia.
Some of these vulnerabilities were among the top most commonly exploited vulnerabilities over the past couple of years.