This week, the United States Cybersecurity and Infrastructure Agency (CISA) published an alert detailing malicious activities by an advanced persistent threat group linked to Iran’s government. According to the joint advisory, bad actors exploit Microsoft Exchange and Fortinet vulnerabilities to target a wide variety of victims across numerous critical infrastructure sectors, including healthcare.
Since at least March 2021, FBI and CISA have witnessed an Iranian government-sponsored APT group exploit Fortinet vulnerabilities and a Microsoft Exchange ProxyShell weakness to obtain early access to systems in preparation for follow-on operations.
For example, in June 2021, the attackers used a Fortigate appliance to access environmental control networks affiliated with a US children’s hospital. According to the government, organizations that use Microsoft Exchange servers and Fortinet should look into any suspicious behavior in their networks. This is yet another sobering example of the threat posed by nation-state actors and why standard cybersecurity approaches need to be reconsidered. No single entity, be it a corporation or a country, can handle challenges of this magnitude on its own.