Iranian APT Observed Targeting Fortinet and Microsoft Exchange Vulnerabilities

Description

FBI and CISA observed Iranian APT targeting Fortinet and Microsoft exchange vulnerabilities to gain access to vulnerable networks, see vulnerabilities below:

• CVE-2018-13379 – Fortinet FortiOS

• CVE-2020-12812 - FortiOS

• CVE-2021-34473 - ProxyShell

• CVE-2019-5591 - FortiOS

The APT group are scanning devices on ports 4443, 8443, and 10443 of Fortinet FortiOS and exploiting devices on FortiOS to gain access to vulnerable networks.

In October 2021 APT group targeted Microsoft Exchange ProxyShell to gain access to systems.

Indicators of compromise (IOC’s)

IP Address:

91.214.124.143

162.55.137.20

154.16.192.70

File Hashes:

1444884faed804667d8c2bfa0d63ab13

1A44368EB5BF68688BA4B4357BDC874F

AA40C49E309959FA04B7E5AC111BB770

AF2D86042602CBBDCC7F1E8EFA6423F9

e64064f76e59dea46a0768993697ef2f

b90f05b5e705e0b0cb47f51b985f84db

26f330dadcdd717ef575aa5bfcdbe76a

FA36FEBFD5A5CA0B3A1B19005B952683A7188A13

F1D90E10E6E3654654E0A677763C9767C913F8F0

CDCD97F946B78831A9B88B0A5CD785288DC603C1

5bd0690247dc1e446916800af169270f100d089b

c4160aa55d092cf916a98f3b3ee8b940f2755053

95E045446EFB8C9983EBFD85E39B4BE5D92C7A2A

c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624

3A08D0CB0FF4D95ED0896F22F4DA8755525C243C457BA6273E08453E0E3AC4C4

5C818FE43F05F4773AD20E0862280B0D5C66611BB12459A08442F55F148400A6

4C691CCD811B868D1934B4B8E9ED6D5DB85EF35504F85D860E8FD84C547EBF1D

28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa

d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a

6473DAC67B75194DEEAEF37103BBA17936F6C16FFCD2A7345A5A46756996FAD748A97F36F8FD4BE4E1F264ECE313773CC5596099D68E71344D8135F50E5D8971

E55A86159F2E869DCDB64FDC730DA893718E20D65A04071770BD32CAE75FF8C34704BDF9F72EF055A3B362759EDE3682B3883C4D9BCF87013076638664E8078E

70AA89449EB5DA1D84B70D114EF9D24CB74751CE12D12C783251E51775C89FDCE61B4265B43B1D613114D6A85E9C75927B706F39C576DBB036079C7E8CAF28B2

6451077B99C5F8ECC5C0CA88FE272156296BEB91218B39AE28A086DBA5E7E39813F044F9AF0FEDBB260941B1CD52FA237C098CBF4B2A822F08E3E98E934D0ECF

Recommendation

Workaround:

• Install updated/patch operating systems, software and firmware as soon as updates/patches are released

• Immediately patch software affected by vulnerabilities

• Use MFA (Multifactor Authentication)

Reference

• https://www.us-cert.cisa.gov/ncas/alerts/aa21-321a

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13379

• https://www.fortiguard.com/psirt/FG-IR-19-283

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473

• https://www.fortiguard.com/psirt/FG-IR-19-037