Cybersecurity Threat Advisory: Fortinet and Microsoft Exchange Vulnerability Exploits
Posted on December 2, 2021 by Mike Beagles
As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.
This week there is a new critical alert that requires the mission-critical community’s immediate attention.
Advisory Overview
Since March 2021, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have been monitoring an advanced persistent threat (APT) group within Iran’s government that is exploiting a Fortinet vulnerability and a Microsoft Exchange ProxyShell vulnerability from October 2021. These vulnerabilities allow the group to gain initial network access before following up with other tactics, including deploying BitLocker ransomware.
What Is the Threat?
The Iranian APT has been scanning devices on ports 4443, 8443, and 10443 to search for the Fortinet FortiOS vulnerability that is being tracked as CVE-2018-13379. This vulnerability allows an unauthenticated user to initiate a uniquely configured Hypertext Transfer Protocol (HTTP) request that will give the attacker the ability to download system files.
Why Is It Noteworthy?
A state-sponsored APT group possesses numerous resources that will make it a deeply serious adversary in terms of the number of targets the group can attack. It recently was reported that the same APT cyberattackers exploited another FortiGate security appliance in June to infiltrate the environmental control networks of a U.S.-based children’s hospital.
What Is the Risk?
The group also has exploited the Microsoft Exchange ProxyShell vulnerability which is being tracked at CVE-2021-34473. ProxyShell involves multiple Common Vulnerabilities and Exposures (CVE) identifiers in an attack chain that enables unauthenticated attackers to gain remote code execution and obtain plaintext passwords.
What Are the Recommendations?
MCP recommends patching and updating any Microsoft Exchange servers to their latest versions, as well as all Fortinet security applications on the network. The patches that must be deployed immediately can be found in the following CVEs: CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
References
For more in-depth information about the recommendations, please visit the following links:
- https://us-cert.cisa.gov/ncas/current-activity/2021/11/17/iranian-government-sponsored-apt-cyber-actors-exploiting-microsoft
- https://us-cert.cisa.gov/ncas/alerts/aa21-321a
- https://threatpost.com/exchange-fortinet-exploited-iranian-apt-cisa/176395/
If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite that is designed specifically for public safety and justice entities and other critical infrastructure organizations, to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.
Mike Beagles is MCP's director of IT and cybersecurity services. He can be reached here.