US, UK and Australia criticize Iran for exploiting Fortinet and Exchange flaws

Authorities in the US, UK, and Australia have asked administrators to immediately fix four vulnerabilities: CVE-2021-34473, 2020-12812, 2019-5591, and 2018-13379, after some attacks were attributed to Iranian-backed cyber attackers.

“The FBI and CISA have observed that this Iranian government-backed APT group has been exploiting Fortinet vulnerabilities since at least March 2021, as well as a Microsoft Exchange ProxyShell vulnerability since October 2021, to gain initial access to systems. before follow-up. operations, including the deployment of ransomware,” says a joint press release.

“Australian Cyber ​​Security Center is also aware that this APT group used the same Microsoft Exchange vulnerability in Australia. »

Fortinet and Exchange vulnerabilities

Instead of going after a certain sector of the economy, authorities believe that attackers are simply focused on exploiting vulnerabilities wherever possible. Then, after the operation, they try to turn this initial access into a data exfiltration, ransomware attack, or extortion.

Using vulnerabilities in Fortinet and Exchange for access, the attackers then added tasks to Windows Task Scheduler and created new accounts on domain controllers and other systems to resemble existing accounts to maintain access. The next step was to enable BitLocker, leave a ransom note, and recover the data via FTP.

In April, the FBI and CISA issued warnings about actively exploited vulnerabilities in Fortinet equipment, with authorities placing Fortinet in the top 30 exploited vulnerabilities in July.

Separately on Wednesday, Microsoft issued its own warning about six Iranian groups that used vulnerabilities in the same products to distribute ransomware. The cited Exchange vulnerabilities, known as ProxyShell, were initially exploited by hackers backed by Beijing.


Dennis Alvarado

"Total social media fan. Travel maven. Evil coffee nerd. Extreme zombie specialist. Wannabe baconaholic. Organizer."

Leave a Reply

Your email address will not be published.