![\"Sicherheit](\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2021\/04\/Sicherheit_klein.jpg\" "\\"Sicherheit")
[German<\/a>]German CERT-Bund currently warns against outdated Microsoft Exchange servers. In Germany, thousands of Exchange Servers 2010 with open OWA are still in operation. Security organizations in the United States and the United Kingdom are also sounding the alarm because Iranian hackers are probably attacking Microsoft Exchange servers and Fortinet products. In addition, the US-CERT has added four entries to the list of known exploits. The vulnerabilities can be closed by security updates. <\/p>\n<\/p>\n
German CERT-Bund warns against old Exchange installs<\/h2>\n
The above German text says, that more than 8,000 or 15% of #Exchange servers with open #OWA in Germany are still running version 2010, even though support for these versions expired one or more years ago and, in principle, no more security updates are provided. <\/p>\n he U.S. Cybersecurity & Infrastructure Security Agency (CISA) has issued alert AA21-321A<\/a> warning of Iranian hacking attacks on Exchange and Fortinet. This cyber security alert is the result of analysis by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and the United Kingdom's National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that the FBI, CISA, ACSC, and NCSC believe is linked to the Iranian government. <\/p>\n The FBI and CISA have observed this Iranian government-sponsored APT group exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to first gain access to systems before conducting follow-on operations that include ransomware distribution. ACSC is also aware that this APT group has exploited the same Microsoft Exchange vulnerability in Australia.<\/p>\n The Iranian government-sponsored APT actors are actively targeting a wide range of victims in several critical U.S. infrastructure sectors, including transportation and healthcare, as well as Australian organizations. According to FBI, CISA, ACSC, and NCSC assessments, actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can use this access for follow-on operations such as data exfiltration or encryption, ransomware, and extortion.<\/p>\n This advisory includes observed tactics and techniques, as well as indicators of compromise (IOCs) that the FBI, CISA, ACSC, and NCSC believe are likely related to these Iranian government-sponsored APT activities. Colleagues at Bleeping Computer have published an article on the subject here<\/a>.<\/p>\n The FBI, CISA, ACSC, and NCSC strongly recommend that critical infrastructure organizations apply the recommendations listed in the Remedial Actions section of this advisory to mitigate the risk of compromise by Iranian government-sponsored cyber actors.<\/p>\n There is also an article <\/a>from Microsoft that points to trends in Iranian Thead attackers, as seen in the following tweet<\/a>. Furthermore, US-CERT has added four new CVEs to its list of known exploits<\/a>.<\/p>\n These are the following vulnerabilities for which patches are available:<\/p>\nIn a tweet<\/a> German CERT-Bund warns, that over 8,000 Exchange 2010 servers are still running open OWA (Outlook Web App). This means that 15 percent of German Exchange servers have not received any security updates for several years. <\/p>\n
![\"German](\"https:\/\/i.imgur.com\/q8fJNkt.png\" "\\"German")
<\/a><\/p>\nIranian hackers target Exchange and Fortinet<\/h2>\n
![\"Cyber](\"https:\/\/i.imgur.com\/777F2gb.png\" "\\"Cyber")
<\/a><\/p>\n![\"Exploits\"](\"https:\/\/i.imgur.com\/8vxqvph.png\" "\\"Exploits\\"")
<\/a><\/p>\n