Iranian hackers have exploited Fortinet and Microsoft Exchange ProxyShell vulnerabilities to gain initial access to systems in advance of follow-on attacks like ransomware, officials from an international cybersecurity effort said.
An advanced persistent threat (APT) group associated with the government of Iran has been capitalising on the Fortinet flaws since at least March and the Microsoft flaw since at least October, according to the joint cybersecurity advisory from the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre, and the United Kingdom’s National Cyber Security Centre.
“Since at least March 2021, the FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities,” officials wrote in a 10-page advisory issued Wednesday.
Neither Fortinet nor Microsoft immediately responded to CRN US requests for comment.
The APT group has targeted Australian organisations as well as US transportation, healthcare and public health sectors, though officials said the hackers are more focused on exploiting known vulnerabilities than targeting specific sectors.
Access gained via Microsoft or Fortinet can be leveraged for follow-on operations like data exfiltration, data encryption, ransomware, or extortion.
Iranian hackers were observed in March scanning devices and ports for three different Fortinet FortiOS vulnerabilities, which officials said were likely exploited to gain access to vulnerable networks. Then in May, officials said the APT group exploited a FortiGate firewall to access a webserver hosting the domain for a US municipal government, creating an account to further enable malicious activity.
In June, officials said the hackers took advantage of a FortiGate firewall to access environmental control networks associated with a U.S-based hospital specializing in healthcare for children.
According to the joint cybersecurity advisory, the APT group likely leveraged a server associated with the Iranian government to enable further malicious activity against the hospital’s network,
Meanwhile, the Microsoft Exchange ProxyShell vulnerability was leveraged in the US in October 2021 and in Australia at an unspecified time to gain initial access to systems. The hackers used a combination of tools to carry out the attack, including Mimikatz for credential theft, WinPEAS for privilege escalation, WinRAR for archiving collected data, and FileZilla for transferring files.
The APT group also established new user accounts on domain controllers, servers, workstations, and active directories, some of which were intentionally created to look similar to other existing accounts on the network, officials said. Hackers forced BitLocker activation on host networks to encrypt data, and threatening notes with ransom demands were sent to the victim or left on their network as a .txt file.
Officials encouraged organisations to investigate exposed Microsoft Exchange servers for compromise regardless of patching status and probe changes to remote desktop protocols, firewalls, and Windows remote management configurations that might have allowed attackers to maintain persistent access. Antivirus logs should be examined for indications they were unexpectedly turned off, officials said.
The joint cybersecurity advisory also urged organisations to review domain controllers, servers, workstations and active directories for new or unrecognized user accounts. Finally, organisations were directed to review task scheduler for unrecognised scheduled tasks as well as manually review operating-system defined or recognised scheduled tasks for unrecognised actions.
More broadly, officials said organisations not using Fortinet’s FortiOS should blacklist the key artifact files used by FortiOS to ensure that any attempts to install or run FortiOS and its associated files are prevented. Businesses are also urged to immediately patch software affected by the three Fortinet and one Microsoft vulnerability identified in Wednesday’s joint cybersecurity advisory.