Iranian APT Actors Exploit Microsoft Exchange and Fortinet Vulnerabilities

The Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Cybersecurity and Infrastructure Security Agency (CISA), and the United Kingdom’s National Cyber Security Centre (NCSC) have issued a joint cybersecurity alert to warn about the continuing attacks on critical infrastructure industries such as the medical care and public health industry by an Iranian Advanced Persistent Threat (APT) actor.

Cyber actors well-known for being connected with the Iranian government are taking advantage of vulnerabilities identified in the Fortinet FortiOS operating system beginning March 2021, and are using a Microsoft Exchange ProxyShell vulnerability to obtain access to targets’ systems beginning October 2021.

The attacks seem to be targeted on taking advantage of the vulnerabilities instead of any particular industry. As soon as the vulnerabilities are exploited to obtain a footing in systems, the threat actor could execute a variety of follow-on procedures, which included exfiltration and encryption of data.

The attackers are taking advantage of three vulnerabilities – CVE-2020-12812, CVE-2019-5591, and CVE-2018-13379 – which are found in Fortinet Devices and CVE-2021-34473 in Microsoft Exchange. There are available patches already released to fix the vulnerabilities that are being taken advantage of, however, a lot of companies are slow to implement the patches and continue to be vulnerable.

After-exploitation, the attackers make use of legit tools to accomplish their goals, such as Mimikatz for stealing credentials, SharpWMI, WinPEAS for escalating privileges, FileZilla for moving files, and WinRAR for storing data of interest. They are acknowledged to make changes to the Task Scheduler and create unique user accounts on servers, domain controllers, active directories, and workstations. In a number of attacks, the accounts were made to look identical to real accounts on the system to minimize the risk of discovery. Data of interest are exfiltrated by using File Transfer Protocol (FTP) transfers on port 443.

The advice gives Indicators of Compromise (IoCs) for companies utilizing Microsoft Exchange and/or Fortinet devices, and a number of mitigations that will lower the risk of exposure, the most crucial of which is to use the patches to repair the known vulnerabilities as quickly as possible.