‘The FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors,’ officials said Wednesday.
Iranian hackers have exploited Fortinet and Microsoft Exchange ProxyShell vulnerabilities to gain initial access to systems in advance of follow-on attacks like ransomware, officials said.
An advanced persistent threat (APT) group associated with the government of Iran has been capitalizing on the Fortinet flaws since at least March and the Microsoft flaw since at least October, according to a joint cybersecurity advisory from the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre.
“Since at least March 2021, the FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities,” officials wrote in a 10-page advisory issued Wednesday.
Neither Fortinet nor Microsoft immediately responded to CRN requests for comment.
The APT group has targeted victims across the U.S. transportation, healthcare and public health sectors as well as Australian organizations, though officials said the hackers are more focused on exploiting known vulnerabilities than targeting specific sectors. Access gained via Microsoft or Fortinet can be leveraged for follow-on operations like data exfiltration, data encryption, ransomware, or extortion.
Iranian hackers were observed in March scanning devices and ports for three different Fortinet FortiOS vulnerabilities, which officials said were likely exploited to gain access to vulnerable networks. Then in May, officials said the APT group exploited a FortiGate firewall to access a webserver hosting the domain for a U.S. municipal government, creating an account to further enable malicious activity.
Then in June, officials said the hackers took advantage of a FortiGate firewall to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children. The APT group likely leveraged a server associated with the Iranian government to enable further malicious activity against the hospital’s network, according to the joint cybersecurity advisory.
The Microsoft Exchange ProxyShell vulnerability, meanwhile, was leveraged in the U.S. in October 2021 and in Australia at an unspecified time to gain initial access to systems. The hackers used a combination of malicious and legitimate tools to carry out the attack, including Mimikatz for credential theft, WinPEAS for privilege escalation, WinRAR for archiving collected data, and FileZilla for transferring files.
The APT group also established new user accounts on domain controllers, servers, workstations, and active directories, some of which were intentionally created to look similar to other existing accounts on the network, officials said. Hackers forced BitLocker activation on host networks to encrypt data, and threatening notes with ransom demands were sent to the victim or left on their network as a .txt file.
Officials encouraged organizations to investigate exposed Microsoft Exchange servers for compromise regardless of patching status and probe changes to remote desktop protocol, firewall, and Windows remote management configurations that might have allowed attackers to maintain persistent access. Antivirus logs should be examined for indications they were unexpectedly turned off, officials said.
The joint cybersecurity advisory also urged organizations to review domain controllers, servers, workstations and active directories for new or unrecognized user accounts. Finally, organizations were directed to review task scheduler for unrecognized scheduled tasks as well as manually review operating-system defined or recognized scheduled tasks for unrecognized actions.
More broadly, officials said organizations not using Fortinet’s FortiOS should blacklist the key artifact files used by FortiOS to ensure that any attempts to install or run FortiOS and its associated files are prevented. Businesses are also urged to immediately patch software affected by the three Fortinet and one Microsoft vulnerability identified in Wednesday’s joint cybersecurity advisory.