U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

US, UK and Australia warn of Iran-linked APTs exploiting Fortinet, Microsoft Exchange flaws

U.S., U.K. and Australia warn that Iran-linked APT groups exploiting Fortinet and Microsoft Exchange flaws to target critical infrastructure. A joint advisory released by government agencies (the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC)) in the U.S., U.K., and […]

Iran -linked cyber-enabled kinetic targeting

U.S., U.K. and Australia warn that Iran-linked APT groups exploiting Fortinet and Microsoft Exchange flaws to target critical infrastructure.

A joint advisory released by government agencies (the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC)) in the U.S., U.K., and Australia warns that Iran-linked threat actors are exploiting Fortinet and Microsoft Exchange vulnerabilities in attacks aimed at critical infrastructure in the US and Australian organizations.

Threat actors are exploiting Microsoft Exchange ProxyShell vulnerability since October 2021 and Fortinet vulnerabilities since at least March 2021. The state-sponsored hackers targeted organizations in the transportation, healthcare, and public health sectors in the U.S., as well as Australian organizations.

The advisory provides details about tactics and techniques associated with Iran-linked APT groups behind the attacks, as well as indicators of compromise (IOCs). The government agencies urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from
Iranian government-sponsored cyber actors.

In March 2021, Iran-linked APT groups leveraged Fortinet FortiOS vulnerabilities such as CVE-2018-13379, CVE-2019-5591, and CVE-2020-12812 to gain access to target networks.

In May 2021, the Iran-linked threat actors breached the network of a local US municipal government by exploiting vulnerabilities in an unpatched Fortinet VPN. Government experts reported that the threat actors likely created an account with the username “elie” to gain persistence on the network.

In June 2021, the Iranian threat actors exploited a Fortigate appliance to compromise networks of a U.S. hospital specializing in healthcare for children.

Since October 2021, the Iran-linked APT exploited CVE-2021-34473 Microsoft Exchange ProxyShell vulnerability in attacks against US and Australian entities.

Once gained access to the target network, the APT actors likely modified the Task Scheduler to execute malicious payloads and created new accounts on domain controllers, active directories, servers, and workstations to achieve persistence.

The FBI and CISA observed outbound File Transfer Protocol (FTP) transfers over port 443 for data exfiltration

The joint advisory also inlcudes MITRE ATT&CK tactics and techniques, indicators of compromise (IoCs) and mitigation recommendations.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

[adrotate banner=”5″]

[adrotate banner=”13″]