CERT-Federation, USA, GB warns about attacks on Exchange and Fortinet

Sicherheit (Pexels, allgemeine Nutzung)[German]German CERT-Bund currently warns against outdated Microsoft Exchange servers. In Germany, thousands of Exchange Servers 2010 with open OWA are still in operation. Security organizations in the United States and the United Kingdom are also sounding the alarm because Iranian hackers are probably attacking Microsoft Exchange servers and Fortinet products. In addition, the US-CERT has added four entries to the list of known exploits. The vulnerabilities can be closed by security updates. 


Advertising

German CERT-Bund warns against old Exchange installs

In a tweet German CERT-Bund warns, that over 8,000 Exchange 2010 servers are still running open OWA (Outlook Web App). This means that 15 percent of German Exchange servers have not received any security updates for several years.

German CERT-Bund warning about Exchange

The above German text says, that more than 8,000 or 15% of #Exchange servers with open #OWA in Germany are still running version 2010, even though support for these versions expired one or more years ago and, in principle, no more security updates are provided.

Iranian hackers target Exchange and Fortinet

he U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued alert AA21-321A warning of Iranian hacking attacks on Exchange and Fortinet. This cyber security alert is the result of analysis by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and the United Kingdom's National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that the FBI, CISA, ACSC, and NCSC believe is linked to the Iranian government.

Cyber Warning


Advertising

The FBI and CISA have observed this Iranian government-sponsored APT group exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to first gain access to systems before conducting follow-on operations that include ransomware distribution. ACSC is also aware that this APT group has exploited the same Microsoft Exchange vulnerability in Australia.

The Iranian government-sponsored APT actors are actively targeting a wide range of victims in several critical U.S. infrastructure sectors, including transportation and healthcare, as well as Australian organizations. According to FBI, CISA, ACSC, and NCSC assessments, actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can use this access for follow-on operations such as data exfiltration or encryption, ransomware, and extortion.

This advisory includes observed tactics and techniques, as well as indicators of compromise (IOCs) that the FBI, CISA, ACSC, and NCSC believe are likely related to these Iranian government-sponsored APT activities. Colleagues at Bleeping Computer have published an article on the subject here.

The FBI, CISA, ACSC, and NCSC strongly recommend that critical infrastructure organizations apply the recommendations listed in the Remedial Actions section of this advisory to mitigate the risk of compromise by Iranian government-sponsored cyber actors.

There is also an article from Microsoft that points to trends in Iranian Thead attackers, as seen in the following tweet. Furthermore, US-CERT has added four new CVEs to its list of known exploits.

Exploits

These are the following vulnerabilities for which patches are available:

CVE Number CVE Title Remediation Due Date
CVE-2021-22204 Exiftool Remote Code Execution vulnerability 12/01/2021
CVE-2021-40449 Microsoft Win32k Elevation of Privilege    12/01/2021
CVE-2021-42292 Microsoft Excel Security Feature Bypass 12/01/2021
CVE-2021-42321 Microsoft Exchange Server Remote Code Execution    12/01/2021

US-CERT warns that US authorities must install the security updates by December 1, 2021. Perhaps this is also a hint to administrators in other countries and organisations to check whether their own systems are patched in this regard.

Similar articles:
Security updates for Exchange Server (July 2021)
Cumulative Exchange CUs June 2021 released
Exchange Server Security Update KB5001779 (April 13, 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange security updates from July 2021 breaks ECP and OWA
Exchange 2016/2019: Outlook problems due to AMSI integration
Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Exchange Server: Authentication bypass with ProxyToken
Exchange vulnerabilities: Will we see Hafnium II?
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server September 2021 CU (2021/09/28)
Security updates for Exchange Server (October 2021)
Tianfu Cup 2021: Exchange 2019 and iPhone hacked
Babuk gang uses ProxyShell vulnerability in Exchange for ransomware attacks
Exchange Server November 2021 Security Updates Close RCE Vulnerability CVE-2021-423
CERT warning: Compromised Exchange servers are misused for email attacks (Nov. 2021)

US-CERT warning: Secure Fortinet SSL VPNs, change passwords
Fortinet closes two vulnerabilities (SSH, Database) in its SIEM
Encryption vulnerabilities in Fortinet products
Attacks on unpatched Pulse Secure and Fortinet SSL VPNs


Advertising

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).