US, UK, and Australia pin Iran for exploiting Fortinet and Exchange holes

American and Australian authorities claim to have observed Iranian-backed attackers scanning and exploiting various systems.
Written by Chris Duckett, Contributor
Image: Fortinet, ZDNet

Cyber authorities across the US, UK, and Australia have called for administrators to immediately patch a quartet of vulnerabilities -- CVE-2021-34473, 2020-12812, 2019-5591, and 2018-13379 -- after attributing some attacks that used them to attackers backed by Iran.

"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware," a joint release stated.

"ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia."

Rather than going after a certain sector of the economy, the authorities said the attackers were simply focused on exploiting the vulnerabilities where possible and, following operation, they then tried to turn that initial access into data exfiltration, a ransomware attack, or extortion.

Using the Fortinet and Exchange holes for access, the attackers would then add tasks to the Windows Task Scheduler and create new accounts on domain controllers and other systems to look like existing accounts to maintain access. The next step was to turn on BitLocker, leave a ransom note, and get the data out via FTP.

In April, the FBI and CISA issued warnings of the vulnerabilities in Fortinet gear being actively exploited, and the full quartet of authorities placed Fortinet on the top 30 exploited vulnerabilities in July.

Separately on Wednesday, Microsoft issued its own warning of six Iranian groups using vulnerabilities in the same pair of products to drop ransomware.

The Exchange vulnerabilities cited, known as ProxyShell, were initially exploited by Beijing-backed hackers.

ASD is confident it can remain on top of technology

Speaking in Canberra on Thursday, the director-general of the Australian Signals Directorate, of which the Australian Cyber Security Centre (ACSC) is a part, Rachel Noble, said the Five Eyes were ready to handle new technology such as quantum cryptography.

"A lot of planning is going ahead now among the Five Eyes for quantum-resistant cryptography, so we'll be ready when quantum computing is out there [and] encryption keys that protect our military and government secrets will be resistant to that," she said.

"We've always sort of stayed on top of technology in that regard, and we love to be first to have that and I'm sure we'll continue to do that in the future. I think quantum computing has an enormous ability to assist us with our signals intelligence and cyber defensive missions.

"So of course, we're investing in making sure we're ready to go when the world delivers it to us."

The director-general said there were times previously when the ASD believed intelligence-gathering avenues could go dark, but that has not come to pass.

"I recall at the time the conversations in ASD about how difficult this would be for us. The irony now is that we feared the lack of communications on the airways and yet now most of us will connect to the Internet by Wi-Fi," Noble said.

"That's not to say that the change didn't bring huge challenges for us. Through a mastery of our business and innovation -- the people of ASD prevailed."

Noble said efforts last year to take down COVID-19 scammers saw ASD resort to offensive cyber operations because trying to get local telcos to block each IP was not working and became a game of whack-a-mole.

"We used our covert online operations and computer network attack capabilities to infiltrate the syndicate and tear it down from the inside. I am proud to say that to this day, that syndicate has not been able to restart their vile business and we'll be there if they try," she said.

"In cyberspace, ASD is increasingly becoming the first and last line of digital defence that protects our country from cyber attacks, and thwarts those who seek to attack Australia by launching offensive cyber operations of our own. And we are right now fighting that battle with criminals -- state actors and serious and organised crime."

Earlier this year, Noble revealed a nationally-known company resisted approaches from the ASD after being hacked, and called in the lawyers.

Speaking on Thursday, Noble said ASD could bring signals intelligence expertise to bear in such situations.

"It is this intelligence, the decades of investment in capabilities, and the expertise of our people that give us a cutting edge as cybersecurity experts over and above any private company and any other governments in the world," she said.

"So when we ring you and tell you we think you've got a problem, and give you some advice about what you might want to do about that, I implore you to take that advice and understand that it might be coming from some of the most top secret and sensitive insights in the world.

"We might not be able to tell you the details of what those insights are and in the end you can take your own chances for not listening.

"But in the national interest, we would prefer that you didn't take that chance."

Related Coverage

Editorial standards