The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) jointly released a cybersecurity advisory cautioning about active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by state-sponsored actors.
The malicious activity is believed to be the work of an Iranian state-sponsored advanced persistent threat (APT) group. The APT actors leveraged Fortinet FortiOS vulnerabilities from March 2021 and a remote code execution flaw affecting Microsoft Exchange Servers since October 2021 to gain initial access to systems to deploy ransomware. According to the advisory, the ACSC is also aware that this APT group has used the same Microsoft Exchange vulnerability in Australia.
The #FBI, @CISAgov, @CyberGovAU, and @NCSC warn of Iranian government-sponsored advanced persistent threat (APT) actors using #Microsoft and #Fortinet vulnerabilities to target U.S. critical infrastructure, including hospitals. Visit https://t.co/CZCe8yyAbg to read our alert.
— FBI (@FBI) November 17, 2021
“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” the advisory states.
The Attack
The advisory list the malicious tools used:
- Mimikatz for credential theft [TA0006]
- WinPEAS for privilege escalation [TA0004]
- SharpWMI (Windows Management Instrumentation)
- WinRAR for archiving collected data [TA0009, T1560.001]
- FileZilla for transferring files [TA0010]
Mitigations
The FBI, CISA, ACSC, and NCSC suggest the following mitigations to reduce the risk of compromise by this threat.
- Patch and Update Systems – Immediately patch software affected by vulnerabilities: CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
- Evaluate and Update Blocklists and Allowlists
- Implement and Enforce Backup and Restoration Policies and Procedures
- Implement Network Segmentation
- Secure User Accounts
- Implement Multi-Factor Authentication
- Use Strong Passwords
- Secure and Monitor RDP and other Potentially Risky Services
- Use Antivirus Programs
- Secure Remote Access
- Reduce Risk of Phishing
Will It Stop?
Federal authorities across regions have joined hands to create awareness and address the state-sponsored APTs targeting critical infrastructure. In October 2021, Microsoft exposed Iran-linked threat actors using password spraying techniques to break into defense technology companies in the U.S., Israel, and parts of the Middle East.
Per Quarterly Ransomware Index Spotlight Report (Q2 2021), there has been an increase in several key ransomware markers. Steady growth has been observed in the number of new APT groups using ransomware, an emergence of new ransomware families and Ransomware-as-a-Service (RaaS) offerings, and an increase of Common Weakness Enumerations (CWEs) associated with researched vulnerabilities.