Cybersecurity agencies from Australia, the United Kingdom, and the United States issued a joint advisory warning of Iranian state-sponsored actors actively exploiting Fortinet and Microsoft Exchange ProxyShell vulnerabilities to gain initial access to vulnerable systems for follow-on activities such as data exfiltration and ransomware.
According to the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Federal Police, the threat actor is believed to have exploited multiple Fortinet FortiOS vulnerabilities dating back to March 2021, as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021.
In May 2021, CISA and FBI noticed the adversary misusing a Fortigate appliance to acquire a foothold on a web server holding the domain for a US local government, in addition to exploiting the ProxyShell hole to obtain access to vulnerable networks. The APT attackers “used a Fortigate appliance to gain access to environmental control networks affiliated with a U.S.-based hospital specialising in paediatric healthcare the following month,” according to the advice.
This is the second time the US government has issued a warning on advanced persistent threat groups targeting Fortinet FortiOS servers by exploiting CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to attack government and commercial systems.
Organizations should immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released as mitigations, according to the agencies.