skout-blog

Cybersecurity Threat Advisory 0077-21: Iranian APT Exploits Fortinet and Exchange Vulnerabilities

Threat Update

Since as early as March 2021, the FBI and CISA have been monitoring an Iranian Government APT group that are currently exploiting a Fortinet vulnerability and a Microsoft Exchange ProxyShell vulnerability from October 2021. These vulnerabilities allowed the APT to gain initial access before following up with other tactics, including deploying BitLocker ransomware.

Technical Detail & Additional Information

WHAT IS THE THREAT?

The Iranian APT has been scanning devices on ports 4443, 8443 and 10443 in order to search for the Fortinet FortiOS vulnerability that is currently being tracked as CVE-2018-13379. This vulnerability allows an unauthenticated user to initiate a uniquely configured HTTP request that will give the attacker the ability to download system files.

WHY IS IT NOTEWORTHY?

A state sponsored APT possesses a number of resources that will make them a deeply serious adversary when it comes to the number of targets they can attack. Just last June, it is reported that the same APT actors exploited another FortiGate security appliance to infiltrate the environmental control networks linked with the U.S. Children’s hospital.

WHAT IS THE EXPOSURE OR RISK?

The group has also moved to exploit the Microsoft Exchange ProxyShell vulnerability which is currently being tracked at CVE-2021-34473. ProxyShell involves multiple CVE’s in an attack chain that enables unauthenticated attackers to gain remote code execution and obtain plaintext passwords.

WHAT ARE THE RECOMMENDATIONS?

Barracuda MSP recommends that you immediately patch and update any Microsoft Exchange servers to their latest versions as well as all Fortinet security applications on your network. The patches that must be deployed immediately can be found in the following CVEs: CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.