Security News > 2021 > November > Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns

Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns
2021-11-17 17:04

The Iranian APT has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021, according to the alert.

In keeping with what CISA described on Wednesday, MSTIC has seen the Iran-linked Phosphorous group - aka a number of names, including Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef and Newscaster - globally target the Exchange and Fortinet flaws "With the intent of deploying ransomware on vulnerable networks."

Since March, the Iranian APT actors have been scanning devices on ports 4443, 8443 and 10443 for the much-exploited, serious Fortinet FortiOS vulnerability tracked as CVE-2018-13379 - a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.

It's déjà vu all over again: In April, CISA had warned about those same ports being scanned by cyberattackers looking for the Fortinet flaws.

That's what APT actors do, CISA said: They exploit critical vulnerabilities like the Fortinet CVEs "To conduct distributed denial-of-service attacks, ransomware attacks, structured query language injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns."

In June, the same APT actors exploited another FortiGate security appliance to access environmental control networks associated with a U.S. children's hospital after likely leveraging a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20: address that the FBI and CISA have linked with Iranian government cyber activity.


News URL

https://threatpost.com/exchange-fortinet-exploited-iranian-apt-cisa/176395/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2019-06-04 CVE-2018-13379 Path Traversal vulnerability in Fortinet Fortios and Fortiproxy
An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests.
network
low complexity
fortinet CWE-22
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Fortinet 169 57 405 185 81 728