Security News > 2021 > November > Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns

The Iranian APT has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021, according to the alert.

In keeping with what CISA described on Wednesday, MSTIC has seen the Iran-linked Phosphorous group - aka a number of names, including Charming Kitten, TA453, APT35, Ajax Security Team, NewsBeef and Newscaster - globally target the Exchange and Fortinet flaws "With the intent of deploying ransomware on vulnerable networks."

Since March, the Iranian APT actors have been scanning devices on ports 4443, 8443 and 10443 for the much-exploited, serious Fortinet FortiOS vulnerability tracked as CVE-2018-13379 - a path-traversal issue in Fortinet FortiOS, where the SSL VPN web portal allows an unauthenticated attacker to download system files via specially crafted HTTP resource requests.

It's déjà vu all over again: In April, CISA had warned about those same ports being scanned by cyberattackers looking for the Fortinet flaws.

That's what APT actors do, CISA said: They exploit critical vulnerabilities like the Fortinet CVEs "To conduct distributed denial-of-service attacks, ransomware attacks, structured query language injection attacks, spearphishing campaigns, website defacements, and disinformation campaigns."

In June, the same APT actors exploited another FortiGate security appliance to access environmental control networks associated with a U.S. children's hospital after likely leveraging a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20: address that the FBI and CISA have linked with Iranian government cyber activity.

News URL

https://threatpost.com/exchange-fortinet-exploited-iranian-apt-cisa/176395/