U.S., U.K., and Australian cybersecurity agencies have released a joint security advisory to raise awareness of an ongoing wave of attacks in which Iranian state-sponsored hackers are exploiting Fortinet and Microsoft Exchange vulnerabilities to compromise networks of a wide range of targets across multiple critical infrastructure sectors in the U.S. and Australia.

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware," the advisory reads.

“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.”

In one of the campaigns, observed in March 2021, Iranian hackers targeted Fortinet FortiOS vulnerabilities (CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812) to gain access to vulnerable networks.

In May 2021, these threat actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government.

In June 2021, the attackers exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children, and in October the same threat actors were observed abusing a Microsoft Exchange ProxyShell vulnerability (CVE-2021-34473) to gain initial access to systems in advance of follow-on operations.

The Australian Cyber Security Centre (ACSC) believes that the threat actors exploited CVE-2021-34473 in attacks against Australian entities.

"The FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors," the agencies said.