Microsoft Exchange and Fortinet Vulnerabilities Exploited by Iranian APT

An APT assault generally involves a group of highly competent hackers with very specific targets and a “slow and steady” approach to planning and executing their crimes.
As Elena mentioned, APT (advanced persistent threat) refers to long-term, multi-staged hacks that are typically orchestrated by highly well-organized criminal networks or even nation-state groups. The term was first used to describe the groups responsible for these attacks, but it has now evolved to refer to the threat actors’ offensive strategies.

For months, a state-backed Iranian threat actor has been utilizing various CVEs to establish a foothold within networks before moving laterally and unleashing BitLocker ransomware, and other malicious tools including both critical Fortinet vulnerabilities and a Microsoft Exchange ProxyShell flaw.

The FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre all tracked the ongoing, hostile cyber assault, according to a joint advisory released by CISA on Wednesday (NCSC).

What Happened?

All security agencies have linked the attacks to an advanced persistent threat (APT) supported by the Iranian government (APT).

As reported by Threatpost, since March 2021, the Iranian APT has been abusing Fortinet vulnerabilities and a Microsoft Exchange ProxyShell weakness. The flaws allow hackers to get early access to systems, allowing them to launch ransomware, data exfiltration or encryption, and extortion operations.

The Iran-linked Phosphorous organization – also known as Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef, and Newscaster – has been detected targeting the Exchange and Fortinet flaws internationally “with the purpose of spreading ransomware on susceptible networks,” according to MSTIC.

These threat actors aren’t targeting specific sectors, as they are apparently focusing on exploiting those irresistible Fortinet and Exchange vulnerabilities.

This joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.

Source

It appears that Iranian APT actors have been scanning devices on ports 443, 8443, and 10443 for CVE-2018-13379, a path-traversal flaw in Fortinet FortiOS that allows an unauthenticated attacker to retrieve system files via specially crafted HTTP resource requests.

Dora Tudor

Cyber Security Enthusiast

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.