Iranian hackers exploiting Microsoft and Fortinet Flaws have been warned by the USA, UK, and Australia.
A joint advisory released by these countries warned about the active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors. These hackers managed to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.’s National Cyber Security Centre (NCSC), the Iranian hackers managed to leverage multiple Fortinet FortiOS vulnerabilities dating back to March 2021. This also included a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021.
The bad actors targeted Australian organizations and institutions across multiple U.S. critical infrastructure sectors, such as transportation and healthcare.
The List of Flaws Exploited
- CVE-2021-34473 (CVSS score: 9.1) – Microsoft Exchange Server remote code execution vulnerability (aka “ProxyShell“)
- CVE-2020-12812 (CVSS score: 9.8) – FortiOS SSL VPN 2FA bypass by changing username case
- CVE-2019-5591 (CVSS score: 6.5) – FortiGate default configuration does not verify the LDAP server identity
- CVE-2018-13379 (CVSS score: 9.8) – FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests
Apart from this, they were also able to exploit FortiOS flaws to gain access to vulnerable networks. According to CISA and FBI, the adversary abused a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The advisory mentioned the APT actors in the next month “exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children.”
This is the second time the US government warned of advanced threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities.
The agencies have recommended organizations take the following steps to mitigate the vulnerabilities:
- Urgently patch software affected by the mentioned vulnerabilities
- Enforce backup and restoration and restoration procedures
- Implement network segmentation
- Secure accounts with multi-factor authentication
- Patch operating systems, software, and firmware as and when updates are released.
TrickBot Malware Helps Emotet Botnet Make A Comeback
TrickBot Operators Collaborate with Shathak Attackers for the deployment of Conti Ransomware
Lyceum Hackers from Iran Target Telecoms, ISPs in Israel, Saudi Arabia, and Africa