CISA/Microsoft issue warnings about Iran-linked attacks

Published 11/23/21, 11:00am

Last week, cybersecurity agencies in the United States, the United Kingdom, and Australia issued warnings that nation-state threat actors backed by Iran were engaged in attacks against organizations in the US and Australia. The warnings coincide with a Microsoft report which outlined findings on a series of sophisticated Iranian-based attacks that began as early as September 2020.  

The attacks have ramped up dramatically in the last few months and currently focus on four primary vulnerabilities (CVE-2021-34473, CVE-2018-13379, CVE-2020-12812 and CVE-2019-5591) in the Fortinet FortiOS SSL VPN and Microsoft Exchange Servers vulnerable to ProxyShell. Threats include ransomware, malware, and phishing, with the goals of business disruption/destruction, data exfiltration, extortion, and cyber espionage. Attack efforts include credential harvesting, privilege escalation, data archiving, and file transfer.

In the joint advisory issued by the Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), organizations are warned that advanced persistent threat (APT) groups sponsored by the Iranian government were actively scanning for unpatched vulnerabilities and targeting a broad range of victims across multiple US critical infrastructure areas, including transportation, healthcare, and public health. The groups have been exploiting the Fortinet vulnerabilities since at least March 2021 and the Microsoft Exchange ProxyShell vulnerabilities since at least October 2021.

Next Steps

CISA and the FBI are advising that at-risk organizations take the following immediate steps:

• Patch and update systems, particularly those affected by CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591
• Evaluate and update blocklists and allowlists (NOTE: CISA/FBI advise that “If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization’s execution blocklist. Any attempts to install or run this program and its associated files should be prevented.”)
• Implement and enforce backup and restoration policies and procedures
• Implement network segmentation
• Implement multi-factor authentication
• Use strong passwords
• Secure and monitor remote desktop protocols (RDP) and other potentially risky services
• Use antivirus programs
• Secure remote access
• Reduce phishing risks.

Cyber industry professionals also advise organizations to engage vulnerability management as a service (VMaaS) to help manage the plethora of vulnerabilities and zero-days. In addition, professional penetration testing can assist organizations in better understanding and identifying vulnerabilities in an enterprise system.