The US Cybersecurity and Infrastructure Security Agency (CISA), the US Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the UK National Cyber Security Centre (NCSC) released a joint advisory this morning that an Iranian government sponsored APT group is systematically exploiting known vulnerabilities in Fortinet FortiOS and Microsoft Exchange ProxyShell. Targeted organizations include a wide range of US critical infrastructure sectors, including transportation and healthcare. The following vulnerabilities are being exploited:
- CVE-2021-34473 (CVSS score: 9.1) – Microsoft Exchange Server remote code execution vulnerability (aka “ProxyShell“)
- CVE-2020-12812 (CVSS score: 9.8) – FortiOS SSL VPN 2FA bypass by changing username case
- CVE-2019-5591 (CVSS score: 6.5) – FortiGate default configuration does not verify the LDAP server identity
- CVE-2018-13379 (CVSS score: 9.8) – FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests
Analyst Notes
Recommended mitigations include immediately patching affected software, enforce data backup and restoration protocols, and secure accounts with multi-factor authentication (MFA) to slow down privilege escalation and lateral movement. While these vulnerabilities may be patched, APT groups have the resources to research 0-day exploits and other tactics in order to breach an otherwise secure network perimeter. A defense-in-depth strategy that includes Managed Detection and Response (MDR) and post-exploitation threat hunting is necessary in order to mitigate risks in the modern threat environment.
https://thehackernews.com/2021/11/us-uk-and-australia-warn-of-iranian.html
https://us-cert.cisa.gov/ncas/alerts/aa21-321a
