US, UK and Australia warn of Iran-linked APTs exploiting Fortinet, Microsoft Exchange flaws

U.S., U.K. and Australia warn that Iran-linked APT groups exploiting Fortinet and Microsoft Exchange flaws to target critical infrastructure.

A joint advisory released by government agencies (the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC)) in the U.S., U.K., and Australia warns that Iran-linked threat actors are exploiting Fortinet and Microsoft Exchange vulnerabilities in attacks aimed at critical infrastructure in the US and Australian organizations.

Threat actors are exploiting Microsoft Exchange ProxyShell vulnerability since October 2021 and Fortinet vulnerabilities since at least March 2021. The state-sponsored hackers targeted organizations in the transportation, healthcare, and public health sectors in the U.S., as well as Australian organizations.

The advisory provides details about tactics and techniques associated with Iran-linked APT groups behind the attacks, as well as indicators of compromise (IOCs). The government agencies urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from
Iranian government-sponsored cyber actors.

In March 2021, Iran-linked APT groups leveraged Fortinet FortiOS vulnerabilities such as CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812 to gain access to target networks.

In May 2021, the Iran-linked threat actors breached the network of a local US municipal government by exploiting vulnerabilities in an unpatched Fortinet VPN. Government experts reported that the threat actors likely created an account with the username “elie” to gain persistence on the network.

In June 2021, the Iranian threat actors exploited a Fortigate appliance to compromise networks of a U.S. hospital specializing in healthcare for children.

Since October 2021, the Iran-linked APT exploited CVE-2021-34473 Microsoft Exchange ProxyShell vulnerability in attacks against US and Australian entities.

Once gained access to the target network, the APT actors likely modified the Task Scheduler to execute malicious payloads and created new accounts on domain controllers, active directories, servers, and workstations to achieve persistence.

The FBI and CISA observed outbound File Transfer Protocol (FTP) transfers over port 443 for data exfiltration

The joint advisory also inlcudes MITRE ATT&CK tactics and techniques, indicators of compromise (IoCs) and mitigation recommendations.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

[adrotate banner=”5″]

[adrotate banner=”13″]