Security News > 2021 > November > US, UK warn of Iranian hackers exploiting Microsoft Exchange, Fortinet
"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware," CISA said.
The Iranian state hackers focus their attacks on US critical infrastructure sectors and Australian organizations.
In March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591.
In May 2021, these Iranian government-sponsored APT actors exploited a Fortigate appliance to access a web server hosting the domain for a US municipal government.
In the report, Microsoft provided information on the evolution of Iranian APTs and their capability to adapt as an always shape-shifting threat.
MSTIC observed them scanning and exploiting vulnerabilities in many products, including Fortinet's FortiOS SSL VPN and Microsoft Exchange server vulnerable to ProxyShell bugs.
News URL
Related news
- Azure Service Tags Vulnerability: Microsoft Warns of Potential Abuse by Hackers (source)
- China-Backed Hackers Exploit Fortinet Flaw, Infecting 20,000 Systems Globally (source)
- Microsoft bigwig says the Feds catching Chinese spies in Exchange Online is the cloud working as intended (source)
- UK and US cops band together to tackle Qilin's ransomware shakedowns (source)
- Microsoft blamed for million-plus patient record theft at US hospital giant (source)
- Microsoft blamed for million-plus patient record theft at US hospital giant (source)
- Iranian Hackers Deploy New BugSleep Backdoor in Middle East Cyber Attacks (source)
- Microsoft links Scattered Spider hackers to Qilin ransomware attacks (source)
- UK arrests suspected Scattered Spider hacker linked to MGM attack (source)
- US offers $10M for tips on DPRK hacker linked to Maui ransomware attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-14 | CVE-2019-5591 | Information Exposure vulnerability in Fortinet Fortios A Default Configuration vulnerability in FortiOS may allow an unauthenticated attacker on the same subnet to intercept sensitive information by impersonating the LDAP server. | 3.3 |
| 2020-07-24 | CVE-2020-12812 | Improper Handling of Case Sensitivity vulnerability in Fortinet Fortios An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username. | 9.8 |
| 2019-06-04 | CVE-2018-13379 | Path Traversal vulnerability in Fortinet Fortios and Fortiproxy An Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal") in Fortinet FortiOS 6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12 and FortiProxy 2.0.0, 1.2.0 to 1.2.8, 1.1.0 to 1.1.6, 1.0.0 to 1.0.7 under SSL VPN web portal allows an unauthenticated attacker to download system files via special crafted HTTP resource requests. | 9.8 |