Cybersecurity agencies from Australia, the U.K., and the U.S. on Wednesday released a joint advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state-sponsored actors to gain initial access to vulnerable systems for follow-on activities, including data exfiltration and ransomware.
The threat actor is believed to have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.'s National Cyber Security Centre (NCSC).
The agencies did not attribute the activities to a specific advanced persistent threat (APT) actor. Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The list of flaws being exploited are below —
- CVE-2021-34473 (CVSS score: 9.1) - Microsoft Exchange Server remote code execution vulnerability (aka "ProxyShell")
- CVE-2020-12812 (CVSS score: 9.8) - FortiOS SSL VPN 2FA bypass by changing username case
- CVE-2019-5591 (CVSS score: 6.5) - FortiGate default configuration does not verify the LDAP server identity
- CVE-2018-13379 (CVSS score: 9.8) - FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests
Besides exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA and FBI said they observed the adversary abusing a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The next month, the APT actors "exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children," the advisory said.
The development marks the second time the U.S. government has alerted of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities.
As mitigations, the agencies are recommending organizations to immediately patch software affected by the aforementioned vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released.