Image: Fortinet, ZDNet
Cyber authorities across the US, UK, and Australia have called for administrators to immediately patch a quartet of vulnerabilities — CVE-2021-34473, 2020-12812, 2019-5591, and 2018-13379 — after attributing some attacks that used them to attackers backed by Iran.
“FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware,” a joint release stated.
“ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.”
Rather than going after a certain sector of the economy, the authorities said the attackers were simply focused on exploiting the vulnerabilities where possible and, following operation, they then tried to turn that initial access into data exfiltration, a ransomware attack, or extortion.
Using the Fortinet and Exchange holes for access, the attackers would then add tasks to the Windows Task Scheduler and create new accounts on domain controllers and other systems to look like existing accounts to maintain access. The next step was to turn on BitLocker, leave a ransom note, and get