United States, United Kingdom, and Australian cybersecurity agencies issued a warning about an Iranian-backed threat group, APT, exploiting Microsoft Exchange ProxyShell and Fortinet vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) issued the warning as a joint advisory. Since March 2021, the FBI and CISA have observed the Iranian government-sponsored APT group exploit Fortinet vulnerabilities and a Microsoft Exchange ProxyShell since October 2021. APT exploits these vulnerabilities to gain access to systems in advance of follow-on operations, including ransomware deployment. Additionally, the ACSC is aware that APT is using the same Microsoft Exchange vulnerability in Australia.
The Iranian-state threat actors target critical organizations and infrastructure in the United States and Australia, including transportation and healthcare. The group’s goal is to gain initial access to targets from critical sectors, which they can utilize for various malicious schemes including data exfiltration, ransomware deployment, and extortion. When the CISA and the FBI were observing the Iranian-sponsored hacking group, they shared information on multiple instances:
- March 2021 – The Iranian government-sponsored APT actors scanned devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerated devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591. The Iranian government-sponsored APT actors exploited these vulnerabilities to gain access to susceptible networks.
- May 2021 – The Iranian government-sponsored APT actors exploited a Fortigate appliance to access a web server hosting a US municipal government domain and created an account using the username ‘elie’ to allow further malicious activities.
- June 2021 – The APT actors exploited a Fortigate appliance gaining access to environmental control networks associated with a U.S.-based hospital that specializes in children’s healthcare. The APT actors accessed the hospital’s known user accounts from IP 154.16.192[.]70 which is connected to the Iranian government’s offensive cyber activity.
- October 2021 – APT used a Microsoft Exchange ProxyShell vulnerability, CVE-2021-34473, to gain initial access prior to follow-on operations.
The information from the joint advisory corresponds to details disclosed in a Microsoft Threat Intelligence Center (MSTIC) report. The report provided information about the evolution and capability of Iranian APTs to adapt as a shape-shifting threat. MSTIC further explained that, since September 2020, they have been following six Iranian threat groups deploying ransomware and exfiltrating data. According to observations, these groups were scanning and exploiting vulnerabilities in various products, including Fortinet’s FortiOS SSL VPN and Microsoft Exchange server vulnerable to ProxyShell bugs.
The FBI further warned private industry partners that an Iranian threat actor was attempting to purchase stolen information connected to US and global companies from clear and dark web sources to infiltrate their systems. To mitigate the risk of compromise from Iranian government-sponsored threat actors, the FBI, CISA, ACSC, and NCSC are urging critical infrastructure industries to implement the recommendations listed in the advisory’s mitigations section. Full details about the attacks including indicators of compromise, MITRE ATT&CK tactics and techniques, detection measures, and mitigations are found in the joint advisory.
With these Iranian government-sponsored hacking groups continuously exploiting vulnerabilities in systems like Microsoft Exchange and Fortinet, it’s crucial for companies to stay vigilant regarding the latest threat landscape and always update your vulnerabilities with security patches to avoid future exploitation. At SpearTip, our certified engineers continuously monitor your systems 24/7 from our global network of Security Operations Centers and respond quickly with precision to eliminate potential threats, like the Iranian-sponsored attack groups. SpearTip defends your environment with the ShadowSpear platform, an unparalleled resource that optimizes visibility and enhances your company’s cybersecurity posture by preventing threats from impacting your business.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.