Posted on November 18, 2021 at 4:43 PM

Fortinet Vulnerability Opens A Gateway To Iranian-Linked Hackers

Iranian state-sponsored actors have been discovered exploiting vulnerabilities in Fortinet and Microsoft Exchange. According to reports, the threat actors are launching these attacks on critical infrastructure in Australia and the United States. 

In a joint advisory issued by government agencies in Australia, the UK, and the US, the activities of the hackers were noticed in March 2021. 

The targets are from different industries, including the healthcare sector, finance, and transportation sector. The warning by the regulators is coming after an analysis of Six Iranian Threat Groups by Microsoft’s Threat Intelligence Center (MSTIC).

The MISTIC researchers pointed out that they have discovered three exploitation techniques threat actors are using to exploit vulnerable networks. The hackers are persistent and more patient when engaging their targets. They are also using ransomware in their attacks to displace their targets or steal funds from them.

The researchers also stated that they have been tracking six different sophisticated Iranian APT groups since September last year. 

They are using aggressive brute force attacks as well as social engineering campaigns to exploit their victims.

These threat actors have launched consistent ransomware attacks in waves. MSTIC says it has discovered the Iran-linked Phosphorous group, also called APT35, TA453, and Charming Kitten, targeting the Fortinet and Microsoft Exchange flaws. The main goal of the threat actors is to deploy ransomware on vulnerable networks.

Attackers Compromised On-Premise Exchange Servers

The researchers further explained the attacking intent of the group via a blog post, describing similar infiltration. According to MSTIC, the threat actors compromised their targets by exploiting vulnerabilities in on-premise Exchange Servers. They encrypt systems and compromise their target’s environments through the BitLocker ransomware.

The regulators also noted that the group tries to exploit their target organization by exploiting their vulnerabilities where possible. Once they succeed in infiltrating the organizations, they try to turn the initial access into data extortion, ransomware attack, or exfiltration.

After accessing the Exchange and Fortinet servers, the threat actors add tasks to the Windows Task Scheduler, creating accounts on domain controllers. They replicate these accounts to make them look exactly like the existing accounts to keep their presence hidden. Afterward, the threat actors start turning on BitLocker, leaving a ransom note, and getting the data out through FTP.

The APT Group Discovered Targeting Multiple Entities

Earlier in April, the CISA and the FBI warned that threat actors are actively exploiting the bugs in Fortinet gear. And in July, a joint report from other regulatory bodies placed Fortnite on the top 30 exploited bugs.

During the April alert, the CISA stated that it seemed that the APT actors were targeting multiple technology services, commercial, and government networks. In some cases, they exploit these vulnerabilities to carry out high-impact DDoS attacks that cripple the target organization’s networks. In other instances, they can carry out spearphishing campaigns, structured query language (SQL) injection attacks, or ransomware attacks.

The threat actors are not interested in any specific sector. Rather their target is to plant their ransomware in any Microsoft Exchange or Fortinet vulnerability they discover.

The Iranian APT group has been seen scanning devices on ports 10443, 8443, and 4443 for the much exploited Fortinet FortiOS vulnerability. The bug is tracked as CVE-2018-13379 and enables the threat actor to download system files through specially made HTTP resource requests.

However, CVE-2018-13379 is only one of the bugs in the Fortinet SSL VPN the security agencies have discovered being used to gain access to the networks. The report also stated that the hacking syndicates are targeting devices for the remaining pair of FortiOS bugs.

The Hackers Are Exploiting Other Vulnerabilities 

The Iranian threat actors have been seen targeting Fortigate appliance on several occasions. In June 2021, security researchers discovered that APTs were exploiting the Fortigate appliance to infiltrate networks of US-based hospitals that provide healthcare to children. And in October, the Iranian government-linked threat group exploited another Microsoft Exchange Proxyshell vulnerability known as CVE-2021-34473. The attackers were looking for initial access to their targets’ environments. ACSC also believes that the same threat organization took advantage of the same bug to launch attacks against Australian entities.

After the attacks, the threat actors decided to modify Task Scheduler tasks for the execution of the payload, they created new accounts on workstations, servers, active directories, and domain controllers to achieve persistence.

The threat actors also exploited several tools for Windows Management Instrument (SharpWMII), file transfer (FileZilla), data archiving (WinRAR), privilege escalation (WinPEAS), and credential harvesting.