A joint advisory warning of active exploitation of Fortinet and Microsoft Exchange Proxyshell has been released by cybersecurity agencies from Australia, U.S and the U.K.
Iranian state-sponsored actors are believed to be behind this attacks and are leveraging multiple Fortinets FortiOS vulnerabilities dating back to March 2021 as well as a a remote code execution flaw affecting Microsoft Exchange Servers since at least October 2021.
Targeted victims include Australian organizations and a wide range of entities across multiple U.S. critical infrastructure sectors, such as transportation and healthcare. The list of flaws being exploited are below —
CVE-2021-34473 (CVSS score: 9.1) – Microsoft Exchange Server remote code execution vulnerability (aka “ProxyShell”)
CVE-2020-12812 (CVSS score: 9.8) – FortiOS SSL VPN 2FA bypass by changing username case
CVE-2019-5591 (CVSS score: 6.5) – FortiGate default configuration does not verify the LDAP server identity
CVE-2018-13379 (CVSS score: 9.8) – FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests
The FBI also stated that they observed the adversary abusing a Fortigate appliance in May 2021 to gain a foothold to a web server hosting the domain for a U.S. municipal government. The following month, the APT actors “exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children,” the advisory said.
This would be the second time the U.S. government has alerted of advanced persistent threat groups targeting Fortinet FortiOS servers by leveraging CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 with the aim of compromising systems belonging to government and commercial entities.
Recommendations have been made to organizations to immediately patch softwares affected by aforementioned vulnerabilities, enforce data backup and restoration procedures, secure accounts with multi-factor authentication and make updates when available.