Description
FBI and CISA observed Iranian APT targeting Fortinet and Microsoft exchange vulnerabilities to gain access to vulnerable networks, see vulnerabilities below:
CVE-2018-13379 – Fortinet FortiOS
CVE-2020-12812 - FortiOS
CVE-2021-34473 - ProxyShell
CVE-2019-5591 - FortiOS
The APT group are scanning devices on ports 4443, 8443, and 10443 of Fortinet FortiOS and exploiting devices on FortiOS to gain access to vulnerable networks.
In October 2021 APT group targeted Microsoft Exchange ProxyShell to gain access to systems.
Indicators of compromise (IOC’s)
IP Address:
91.214.124.143
162.55.137.20
154.16.192.70
File Hashes:
1444884faed804667d8c2bfa0d63ab13
1A44368EB5BF68688BA4B4357BDC874F
AA40C49E309959FA04B7E5AC111BB770
AF2D86042602CBBDCC7F1E8EFA6423F9
e64064f76e59dea46a0768993697ef2f
b90f05b5e705e0b0cb47f51b985f84db
26f330dadcdd717ef575aa5bfcdbe76a
FA36FEBFD5A5CA0B3A1B19005B952683A7188A13
F1D90E10E6E3654654E0A677763C9767C913F8F0
CDCD97F946B78831A9B88B0A5CD785288DC603C1
5bd0690247dc1e446916800af169270f100d089b
c4160aa55d092cf916a98f3b3ee8b940f2755053
95E045446EFB8C9983EBFD85E39B4BE5D92C7A2A
c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624
3A08D0CB0FF4D95ED0896F22F4DA8755525C243C457BA6273E08453E0E3AC4C4
5C818FE43F05F4773AD20E0862280B0D5C66611BB12459A08442F55F148400A6
4C691CCD811B868D1934B4B8E9ED6D5DB85EF35504F85D860E8FD84C547EBF1D
28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa
d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a
6473DAC67B75194DEEAEF37103BBA17936F6C16FFCD2A7345A5A46756996FAD748A97F36F8FD4BE4E1F264ECE313773CC5596099D68E71344D8135F50E5D8971
E55A86159F2E869DCDB64FDC730DA893718E20D65A04071770BD32CAE75FF8C34704BDF9F72EF055A3B362759EDE3682B3883C4D9BCF87013076638664E8078E
70AA89449EB5DA1D84B70D114EF9D24CB74751CE12D12C783251E51775C89FDCE61B4265B43B1D613114D6A85E9C75927B706F39C576DBB036079C7E8CAF28B2
6451077B99C5F8ECC5C0CA88FE272156296BEB91218B39AE28A086DBA5E7E39813F044F9AF0FEDBB260941B1CD52FA237C098CBF4B2A822F08E3E98E934D0ECF
Recommendation
Workaround:
Install updated/patch operating systems, software and firmware as soon as updates/patches are released
Immediately patch software affected by vulnerabilities
Use MFA (Multifactor Authentication)
Reference
Comments