Nation-state hackers with ties to Iran have been exploiting vulnerabilities in Microsoft Exchange, known as ProxyShell, and also Fortinet to break into systems.
The vulnerabilities, which have been spotted as early as March 2021, have allowed the APTs to infect systems with ransomware and more. Also, these attacks have targeted countries around the world.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement with the Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), and United Kingdom's National Cyber Security Centre (NCSC) in regards to bringing attention to malicious hacking activity.
"The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion."
Iran-backed malicious hacking activity
CISA reports that the cyberattacks have hit a wide range of industries, including critical infrastructure.
A few observations of the activity, as told in CISA's statement, include the following:
- In March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591. The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks. Note: for previous FBI and CISA reporting on this activity, refer to Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks.
- In May 2021, these Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. The actors likely created an account with the username
elieto further enable malicious activity. Note: for previous FBI reporting on this activity, refer to FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Initial Access for Malicious Activity.
- In June 2021, these APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children. The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses
162.55.137[.]20—which FBI and CISA judge are associated with Iranian government cyber activity—to further enable malicious activity against the hospital’s network. The APT actors accessed known user accounts at the hospital from IP address
154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity.
- As of October 2021, these APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability—
CVE-2021-34473—to gain initial access to systems in advance of follow-on operations.
For a thorough look at the technical details and mitigation tactics, visit the website at us-cert.cisa.gov/ncas/alerts/aa21-321a.
With 2022 just around the corner, have you planned ahead yet for how your organization can prepare to mitigate risks in the New Year? Join SecureWorld for its last event of 2021 on December 2nd, the West Coast virtual conference.