18 November 2021

U.S., U.K. and Australia warn of Iranian hackers exploiting Fortinet and Microsoft Exchange vulnerabilities


U.S., U.K. and Australia warn of Iranian hackers exploiting Fortinet and Microsoft Exchange vulnerabilities

U.S., U.K., and Australian cybersecurity agencies have released a joint security advisory to raise awareness of an ongoing wave of attacks in which Iranian state-sponsored hackers are exploiting Fortinet and Microsoft Exchange vulnerabilities to compromise networks of a wide range of targets across multiple critical infrastructure sectors in the U.S. and Australia.

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware," the advisory reads.

“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.”

In one of the campaigns, observed in March 2021, Iranian hackers targeted Fortinet FortiOS vulnerabilities (CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812) to gain access to vulnerable networks.

In May 2021, these threat actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government.

In June 2021, the attackers exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children, and in October the same threat actors were observed abusing a Microsoft Exchange ProxyShell vulnerability (CVE-2021-34473) to gain initial access to systems in advance of follow-on operations.

The Australian Cyber Security Centre (ACSC) believes that the threat actors exploited CVE-2021-34473 in attacks against Australian entities.

"The FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors," the agencies said.

Back to the list

Latest Posts

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Dropped countries include such countries as Morocco, Mexico, Saudi Arabia, or the UAE.
26 November 2021
CronRAT: New Linux malware that hides behind February 31 to stay undetected

CronRAT: New Linux malware that hides behind February 31 to stay undetected

The malware hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.
26 November 2021
New malware campaign targets crypto, NFT and DeFi communities via Discord

New malware campaign targets crypto, NFT and DeFi communities via Discord

The Babadeda crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing RATs, and LockBit ransomware.
26 November 2021