Four Fortinet and Exchange flaws found across the US, UK, and Australia – CVE-2021-34473, 2020-12812, 2019-5591, and 2018-13379 – are being requested to get patched by administrators after being exploited to attacks allegedly performed by Iranian threat actors.
An Iranian state-backed APT group has been observed by the FBI and CISA that exploited vulnerabilities found in Fortinet and Microsoft Exchange ProxyShell since March and October this year, respectively. They aim to gain initial access to systems to perform cyber-attacks.
The authorities said the attackers focus on exploiting the discovered vulnerabilities if there’s a chance rather than chasing a particular economic industry. After gaining initial access, the attackers will turn to perform data exfiltration or a ransomware attack.
The Fortinet and Exchange flaws found by the Iranian threat actors are used to add tasks to the Windows Task Scheduler and maintain their access by creating new accounts on domain controllers to appear as existing accounts.
After the FBI and CISA had issued the warnings regarding the exploited Fortinet and Exchange flaws, Microsoft followed as it issued a new warning about six Iranian threat groups who exploited vulnerabilities on both of the same products to inject ransomware.
CISA also provided a laundry list of techniques used by the Iranian APT group regarding their attacks. These indicators of compromise (IOC) include creating new user accounts on domain controllers, active directories, servers, and workstations.
Despite these new accounts created to appear similar to the existing ones, experts still managed to list down usernames associated with the APT group, including ‘support’, ‘help’, ‘elie’, and ‘WADGUtilityAccount’.
Then, they will enable BitLocker and leave a ransom note for the victim. Using a File Transfer Protocol (FTP), they will finally take the data out.
The experts said that the Iranian-based APT group is patient, flexible, and proficient in strategic and tradecraft goals. Moreover, they have evolved into more competitive and capable of performing an array of attack operations, such as deploying ransomware, disrupting operations, phishing attacks, mass exploitation attacks, deploying mobile malware, password spraying attacks, supply chain attacks, deploying disk wipers, etc.