An Iranian actor, assessed to be government sponsored, is exploiting known CVEs against multiple sectors.
The advisory, issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC) and the NCSC, gives the observed tactics and techniques and indicators of compromise. It refers to activity observed against CNI organisations in the US, and Australian organisations.
The threat is ongoing, the NCSC (National Cyber Security Centre) therefore advises that UK organisations review the mitigation and detection advice and take appropriate action if necessary.
Threat Actor Activity
Since at least March 2021, the FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities. Observed activity includes the following.
- In March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591. The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks. Note: for previous FBI and CISA reporting on this activity, refer to Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks.
- In May 2021, these Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. The actors likely created an account with the username
elieto further enable malicious activity. Note: for previous FBI reporting on this activity, refer to FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Initial Access for Malicious Activity.
- In June 2021, these APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children. The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses
162.55.137[.]20—which FBI and CISA judge are associated with Iranian government cyber activity—to further enable malicious activity against the hospital’s network. The APT actors accessed known user accounts at the hospital from IP address
154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity.
- As of October 2021, these APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability—
CVE-2021-34473—to gain initial access to systems in advance of follow-on operations.
ACSC considers that this APT group has also used the same Microsoft Exchange vulnerability (CVE-2021-34473) in Australia.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.