Cybersecurity agencies from Australia, the U.K., and the U.S. released a joint advisory warning of ongoing exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian hackers to gain access to vulnerable systems for follow-on activities like deploying ransomware.
According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K.’s National Cyber Security Centre (NCSC), the threat actors have leveraged multiple Fortinet FortiOS vulnerabilities dating back to March 2021 as well as a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021.
The targeted victims include Australian organizations and multiple U.S. critical infrastructure sectors, such as transportation and healthcare.
The list of flaws being exploited include
- CVE-2021-34473 (CVSS score: 9.1) – Microsoft Exchange Server remote code execution vulnerability (aka “ProxyShell”)
- CVE-2020-12812 (CVSS score: 9.8) – FortiOS SSL VPN 2FA bypass by changing username case
- CVE-2019-5591 (CVSS score: 6.5) – FortiGate default configuration does not verify the LDAP server identity
- CVE-2018-13379 (CVSS score: 9.8) – FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests
CISA and FBI also observed that the adversary has abused a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The APT actors was then found exploiting a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children.
This is the second time the U.S. government has alerted of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to government and commercial entities.
The agencies are recommending organizations to immediately patch software affected by the vulnerabilities, enforce data backup and restoration procedures, implement network segmentation, secure accounts with multi-factor authentication, and patch operating systems, software, and firmware as and when updates are released.