On Wednesday, cybersecurity agencies from Australia, the U.K., and the U.S. issued a joint advisory detailing the active exploitation of vulnerabilities in Fortinet and Microsoft Exchange ProxyShell by Iranian state-sponsored threat actors. This exploitation is part of a broader effort to gain initial access into susceptible systems, subsequently enabling activities such as data exfiltration and ransomware deployment.
The advisory identifies that the threat actors have been taking advantage of multiple vulnerabilities in Fortinet FortiOS that have existed since March 2021, alongside a remote code execution vulnerability affecting Microsoft Exchange Servers since at least October 2021. The details of these vulnerabilities come from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.’s National Cyber Security Centre (NCSC).
Although these activities have not been specifically attributed to an individual advanced persistent threat (APT) group, they target a spectrum of victims, including Australian organizations and numerous entities within the U.S. critical infrastructure sectors, encompassing transportation and healthcare. The vulnerabilities currently being exploited include notable CVEs such as CVE-2021-34473, CVE-2020-12812, CVE-2019-5591, and CVE-2018-13379.
Prior analyses by CISA and the FBI have revealed that attackers exploited the ProxyShell vulnerability to access vulnerable networks. Specifically, in May 2021, adversaries utilized a Fortigate appliance to infiltrate a web server associated with a municipal government in the U.S. Subsequently, in June 2021, they exploited another Fortigate appliance to breach environmental control networks linked to a children’s healthcare facility in the U.S.
This latest advisory marks the second occasion in which U.S. authorities have alerted organizations about APT groups targeting Fortinet FortiOS servers. These actors have previously leveraged vulnerabilities such as CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 in attempts to compromise systems belonging to both governmental and commercial entities.
In light of these developments, cybersecurity agencies are urging organizations to take proactive measures. Immediate patching of software impacted by the listed vulnerabilities is critical. Furthermore, organizations should implement robust backup and recovery procedures, ensure data segregation through network segmentation, enforce multi-factor authentication to secure accounts, and consistently update operating systems, software, and firmware as patches are released.
