Iranian APT Actors Actively Exploiting Microsoft Exchange and Fortinet Vulnerabilities

Share this article on:

A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) warning of ongoing attacks by an Iranian Advanced Persistent Threat (APT) actor on critical infrastructure sectors including the healthcare and public health sector.

Cyber actors known to be associated with the Iranian government have been exploiting vulnerabilities in the Fortinet FortiOS operating system since at least March 2021, and have been leveraging a Microsoft Exchange ProxyShell vulnerability since October 2021 to gain access to targets’ networks.

The attacks appear to be focused on exploiting the vulnerabilities rather than any specific sector. Once the vulnerabilities have been exploited to gain a foothold in networks, the threat actor can perform a range of follow-on operations, which have included data exfiltration and data encryption.

The threat actors are exploiting three vulnerabilities in Fortinet Devices – CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812, and the CVE-2021-34473 in Microsoft Exchange. Patches have been released to fix the flaws that are being exploited, but many organizations have been slow to apply the patches and remain vulnerable.

Post-exploitation, the threat actors use legitimate tools to achieve their objectives, including Mimikatz for credential theft, WinPEAS for privilege escalation, SharpWMI, WinRAR for archiving data of interest, and FileZilla for transferring files. They are known to make modifications to the Task Scheduler and establish new user accounts on domain controllers, servers, workstations, and active directories. In some attacks, the accounts have been created to look similar to genuine accounts on the network to reduce the risk of detection. Data of interest have been exfiltrated via File Transfer Protocol (FTP) transfers over port 443.

The alert provides Indicators of Compromise (IoCs) for organizations using Fortinet devices and/or Microsoft Exchange, and several mitigations that will reduce the risk of compromise, the most important of which is to apply the patches to fix the above vulnerabilities as soon as possible.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On