The FBI, CISA, ACSC, and NCSC released a joint Cybersecurity Advisory highlighting ongoing malicious cyber activity by an advanced persistent threat (APT) group believed to be associated with the government of Iran. Specifically, the FBI and CISA have observed this Iranian government-sponsored APT exploit Fortinet and Microsoft Exchange ProxyShell vulnerabilities to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. Entities being actively targeted include a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.

This activity is notable as it emphasizes the importance of keeping IT systems patched. In addition to the 2021 Microsoft Exchange vulnerabilities, this group is exploiting Fortinet vulnerabilities from 2018, 2019, and 2020 on devices that have remained unpatched. This threat group is just one of several that are currently known to be compromising unpatched devices by exploiting old vulnerabilities. To that end, CISA is maintaining a Known Exploited Vulnerabilities Catalog and has recently updated it with four new vulnerabilities. The catalog currently contains over 400 known vulnerabilities currently being exploited.

Members are encouraged to assess your environment for impact to the Microsoft Exchange and Fortinet vulnerabilities discussed in the advisory and urged to develop and execute a patching schedule and implement additional mitigation steps as appropriate. Furthermore, it is highly recommended that anyone with unpatched devices in your network should look for signs of compromise by referring to Appendix A: Indicators of Compromise section in Alert (AA21-321A), Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

For more information on Iranian government-sponsored malicious cyber activity, see us-cert.cisa.gov/Iran.

For resources on patching, the National Cybersecurity Center of Excellence (NCCoE) has released two new revised draft publications: Special Publication (SP) 1800-31, Improving Enterprise Patching for General IT Systems: Utilizing Existing Tools and Performing Processes in Better Ways, and SP 800-40 Revision 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology.

Additional resources found on the WaterISAC Resource Center

• Patching Vulnerabilities is Hard, Exploiting Unpatched Vulnerabilities…Not So Much
• Ransomware Resilience – Deferred Patching Could Result in a Ransomware Attack
• CISA Issues Binding Operational Directive (BOD) 22-01 to Address Known Exploited Vulnerabilities
• Report Identifies New Vulnerabilities Exploited in Ransomware Attacks

To report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local FBI field office at https://www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937 or by e-mail at CyWatch@fbi.gov

WaterISAC Incident Reporting
WaterISAC encourages any members who have experienced malicious or suspicious activity related to this advisory, email analyst@waterisac.org, call 866-H2O-ISAC, or use the online incident reporting form.