U.S., U.K., and Australian cybersecurity agencies are warning that hackers associated with Iran have exploited vulnerabilities in Fortinet and Microsoft products to carry out attacks. Officials urged in a recent advisory that critical infrastructure organizations patch these vulnerabilities to mitigate against possible attacks.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have observed these malicious actors, since at least March 2021, leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors.
“The actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored [advanced persistent threat (APT) groups] can leverage this access for…data exfiltration or encryption, ransomware, and extortion,” the advisory says.
The joint advisory provides observed tactics, techniques, and indicators of compromise that are likely associated with this Iranian government-sponsored APT activity.
For example, the FBI and CISA found that the hackers exploited Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems. And in May 2021, hackers exploited a Fortigate appliance to access a web server hosting the domain for a U.S. municipal government.
In addition, the joint advisory urges organizations to review domain controllers, servers, workstations, and active directories for new or unrecognized accounts. And directs them to review operating-system extensively manually for abnormal activity.
Prior to the joint advisory, CISA released a catalog of hundreds of known actively exploited vulnerabilities, including those associated with Fortinet and Microsoft, with deadlines for patching them. The due date for patching the Microsoft vulnerabilities was Nov. 17, but for Fortinet the deadline is not until May 2022.