Fortinet and Microsoft Exchange’s N-day vulnerabilities are still being heavily exploited by Iranian APTs, cyber security agencies of the United States, Britain and Australia issue a joint alert

On the morning of Nov. 17, ET, a joint report by U.S., U.K., and Australian government agencies warned that Iranian government-backed threat actors were exploiting Fortinet and Microsoft Exchange vulnerabilities to target critical infrastructure of some organizations in the U.S. and Australia. attack. This joint cybersecurity advisory bulletin is the result of a multi-country collaborative analysis by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber ​​Security Centre (ACSC) and the UK National Cyber ​​Security Centre (NCSC).

Attack groups have been observed exploiting the Fortinet vulnerability since at least March 2021, with initial breaches targeting the Microsoft Exchange ProxyShell vulnerability since October 2021.

A joint advisory by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber ​​Security Centre (ACSC), and the UK’s National Cyber ​​Security Centre (NCSC) said the targets of the attacks included transport, medical services in the US and Australia. health and public health sector.

In March 2021, Iranian government-sponsored APT actors were observed targeting Fortinet FortiOS vulnerabilities, such as CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812, to gain access to vulnerable networks.

In May 2021, the same attackers exploited a vulnerability in Fortigate appliances to compromise a web server hosting a US city government domain and create an account called elie to maintain access to the resource.

In June 2021, Iranian APTs used Fortigate equipment to compromise a network associated with a children’s healthcare hospital in the United States. IP addresses associated with Iranian government network activity were found to be used for other targeted malicious activity.

Beginning in October 2021, an Iranian government-linked attack group exploited the Microsoft Exchange ProxyShell vulnerability CVE-2021-34473 to breach the target’s environment for the first time. The ACSC believes the same vulnerability was used by APT groups in their attacks against Australian entities. There are four vulnerabilities known as ProxyShell in Microsoft Exchange servers that were originally used by hackers as zero-day exploits. But Microsoft released patches for those vulnerabilities in April.

After the initial breach, attackers may modify Task Scheduler tasks to execute payloads and create new accounts on domain controllers, Active Directory, servers, and workstations for persistent latency.

During the attack, the attackers used various tools to obtain credentials. Such as classic Mimikatz, privilege escalation (WinPEAS), data archiving (WinRAR) and file transfer (FileZilla). SharpWMI (Windows Management Instrumentation) is also used.

According to Microsoft’s latest tracking research, Iranian cyberattack groups are turning to extortion attacks. Since September 2020, there has been a wave of ransomware attacks every six to eight weeks. Russia is often seen as home to the biggest cybercriminal ransomware threat, but state-backed attackers from North Korea and Iran have also shown growing interest in ransomware. According to Microsoft, APT35 also targets unpatched on-premises Exchange servers and Fortinet’s FortiOS SSL VPN to deploy ransomware. Other cybersecurity firms detected an increase last year in ransomware in which Iranian state-backed hackers use known Microsoft Exchange vulnerabilities to install persistent web shells on email servers and Thanos ransomware. CrowdStrike’s research shows that Iranian cyber-attack groups have realized the potential of ransomware as a cyber-attack capability that can have a devastating impact on victims at a low cost.

In the joint consultation, the FBI, CISA, ACSC, and NCSC urged organizations to immediately apply patches to targeted vulnerabilities, assess and update black and white lists, implement policies and procedures for data backup, implement network partition isolation, strengthen user account management, and implement two-factor authentication , Strengthen password quality, strengthen RDP remote access access, upgrade anti-virus applications, etc. They also provide indicators of compromise (IoCs) to help detect potential compromises, as well as a range of mitigation recommendations to harden the network against potential attacks.

The Links:   1MBI600VF-120-50 LP150X09-A3