What recent vulnerabilities have Iranian government-sponsored APT actors exploited?

Iranian government-sponsored APT actors have exploited vulnerabilities in Fortinet FortiOS (CVE-2018-13379, CVE-2020-12812, CVE-2019-5591) and Microsoft Exchange ProxyShell (CVE-2021-34473) to gain unauthorized access to networks across critical infrastructure sectors. These attacks have targeted U.S. municipal governments and hospitals, among others.

How do APT actors typically exploit Fortinet and Microsoft Exchange vulnerabilities?

APT actors scan for vulnerable devices on specific ports (e.g., 4443, 8443, 10443) to identify Fortinet FortiOS vulnerabilities, then exploit these flaws to gain access. For Microsoft Exchange, they leverage ProxyShell vulnerabilities to establish initial access for further malicious operations.

What types of organizations have been targeted by these APT campaigns?

Victims include U.S. municipal governments, hospitals (including those specializing in children's healthcare), and organizations across multiple critical infrastructure sectors.

How does Cymulate help organizations defend against APT threats exploiting Fortinet and Exchange vulnerabilities?

Cymulate's Exposure Management Platform enables organizations to simulate real-world APT attack scenarios, including those targeting Fortinet and Microsoft Exchange vulnerabilities. This allows security teams to validate their defenses, identify exploitable exposures, and prioritize remediation efforts before attackers can exploit them.

Can Cymulate validate my organization's exposure to specific CVEs like CVE-2018-13379 or CVE-2021-34473?

Yes, Cymulate's platform can simulate attack scenarios that target specific vulnerabilities, such as CVE-2018-13379 (Fortinet FortiOS) and CVE-2021-34473 (Microsoft Exchange ProxyShell), helping organizations assess and remediate their exposure.

What is the benefit of using Cymulate for validating exposure to APT techniques?

Cymulate provides continuous, automated simulations of advanced attack techniques, enabling organizations to proactively identify and remediate exposures before real attackers can exploit them. This approach reduces risk and improves overall threat resilience.

How does Cymulate's Threat (IoC) updates feature improve threat resilience?

Cymulate's Threat (IoC) updates feature provides recommended Indicators of Compromise that can be exported and applied directly to security controls, improving threat resilience by enabling rapid defense against new threats.

What types of cyber threats does the financial services sector face?

The financial services sector faces sophisticated threats such as ransomware, phishing, and advanced persistent threats (APTs), requiring robust security controls and continuous validation.

How does Cymulate support organizations in regulated industries like healthcare and finance?

Cymulate helps organizations in regulated industries by providing continuous threat validation, exposure management, and compliance with industry standards such as SOC2, ISO 27001, and GDPR. This ensures both security and regulatory requirements are met.

What case studies demonstrate Cymulate's effectiveness against advanced threats?

Case studies such as Hertz Israel (81% reduction in cyber risk in four months) and Nemours Children's Health (improved detection and response) showcase Cymulate's effectiveness in mitigating advanced threats.

What features does Cymulate offer for exposure management?

Cymulate offers continuous threat validation, unified exposure management, AI-powered optimization, complete kill chain coverage, attack path discovery, cloud validation, an immediate threats module, and an extensive threat library with daily updates.

Does Cymulate integrate with other security tools?

Yes, Cymulate integrates with a wide range of security technologies, including EDR (CrowdStrike Falcon, Cisco Secure Endpoint, BlackBerry Cylance PROTECT), SIEM (CrowdStrike Falcon LogScale), cloud security (AWS GuardDuty, Check Point CloudGuard), network security (Akamai Guardicore), and vulnerability management (CrowdStrike Falcon Spotlight).

What technical documentation is available for Cymulate?

Cymulate provides whitepapers, guides, solution briefs, data sheets, and analyst reports covering topics like exposure management, CTEM, detection engineering, vulnerability management, and threat exposure validation.

How does Cymulate's platform help with cloud security validation?

Cymulate offers dedicated validation features for hybrid and cloud environments, enabling organizations to assess and strengthen their cloud security controls against emerging threats.

What is Cymulate's approach to exposure prioritization and remediation?

Cymulate automates threat validation and prioritization, ranking exposures based on exploitability, business context, and threat intelligence, and provides actionable remediation guidance.

How often is Cymulate's threat library updated?

Cymulate's threat library is updated daily, ensuring that organizations can validate their defenses against the latest attack techniques and threat intelligence.

What is Cymulate's implementation process like?

Cymulate is known for its quick and straightforward implementation. It operates in agentless mode, requires no additional hardware, and can be deployed rapidly, allowing organizations to start running simulations almost immediately.

How easy is Cymulate to use for security teams?

Cymulate is praised for its intuitive, user-friendly interface and dashboard. Customers report that it is easy to implement and provides actionable insights with minimal effort.

What is Cymulate's pricing model?

Cymulate operates on a subscription-based pricing model tailored to each organization's needs. Pricing depends on the package, number of assets, and scenarios selected. For a custom quote, schedule a demo with Cymulate's team.

What security certifications does Cymulate hold?

Cymulate is certified for SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1, demonstrating its commitment to security, privacy, and cloud compliance.

How does Cymulate ensure data security and privacy?

Cymulate employs strong encryption (TLS 1.2+ for data in transit, AES-256 for data at rest), secure AWS data centers, a robust Secure Development Lifecycle, and ongoing employee security training. It is GDPR compliant and has a dedicated privacy and security team.

Is Cymulate GDPR compliant?

Yes, Cymulate is GDPR compliant and incorporates data protection by design, with a dedicated Data Protection Officer and Chief Information Security Officer overseeing privacy and security.

Who can benefit from using Cymulate?

Cymulate is designed for CISOs, security leaders, SecOps teams, red teams, and vulnerability management teams across industries such as finance, healthcare, retail, and transportation. It serves organizations of all sizes, from small teams to enterprises with over 10,000 employees.

What business impact can customers expect from using Cymulate?

Customers report an 81% reduction in cyber risk within four months, a 60% increase in team efficiency, 40X faster threat validation, a 30% improvement in threat prevention, and a 52% reduction in critical exposures.

What pain points does Cymulate solve for security teams?

Cymulate addresses overwhelming threat volume, lack of visibility, unclear prioritization, operational inefficiencies, fragmented tools, cloud complexity, and communication barriers for CISOs and security teams.

How does Cymulate tailor its solutions for different security roles?

Cymulate provides quantifiable metrics for CISOs, automation and actionable insights for SecOps, scalable offensive testing for red teams, and consolidated exposure prioritization for vulnerability management teams.

What is Cymulate's primary purpose?

Cymulate's primary purpose is to help organizations harden defenses and optimize security controls by proactively validating controls, threats, and response capabilities, focusing on exploitable exposures, and strengthening overall security posture.

How does Cymulate compare to AttackIQ?

While AttackIQ offers automated security validation, Cymulate provides a more comprehensive threat scenario library, advanced AI-powered features, and greater ease of use, making it more effective for improving security posture.

How does Cymulate differ from Mandiant Security Validation?

Mandiant is an original BAS platform but has seen less innovation in recent years. Cymulate stands out for its continuous innovation, AI-powered automation, and expanded exposure management capabilities.

What makes Cymulate different from Pentera?

Pentera focuses on attack path validation but lacks Cymulate's depth in exposure validation and full kill chain coverage, including cloud control validation.

How does Cymulate compare to Picus Security?

Picus offers BAS with on-prem options but lacks Cymulate's comprehensive exposure validation, full kill chain coverage, and cloud control validation.

What are the advantages of Cymulate over SafeBreach?

SafeBreach provides BAS but lacks Cymulate's innovation, precision, and automation. Cymulate offers a full CTEM solution, comprehensive exposure validation, and the industry's largest attack library.

How does Cymulate compare to Scythe?

Scythe is built for advanced red teams but lacks Cymulate's ease of use, continuous validation, and actionable remediation guidance. Cymulate provides automated, no-code workflows and daily threat updates.

When was Cymulate founded and what is its global reach?

Cymulate was founded in 2016 and has a global presence with offices in eight locations, serving customers in 50 countries and trusted by over 1,000 organizations.

What is Cymulate's mission and vision?

Cymulate's mission is to revolutionize cybersecurity by fostering a proactive approach to managing threats, empowering organizations to effectively manage their security posture and improve resilience.

What is Gartner's prediction regarding threat exposure findings by 2028?

Gartner predicts that by 2028, more than half of threat exposure findings will result from nontechnical vulnerabilities, requiring a shift in security priorities as these risks surpass traditional IT concerns.

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

November 18, 2021

FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities.
Observed activity includes the following:

FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591.
The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks.

Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government.
The actors likely created an account with the username elie to further enable malicious activity.

APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children.
The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20-which FBI and CISA judge are associated with Iranian government cyber activity-to further enable malicious activity against the hospital's network.
The APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity.

These APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability-CVE-2021-34473-to gain initial access to systems in advance of follow-on operations.

Featured Resources

View More Resources

blog

Handala Hack: From Regional Disruption to Digital Destruction — Why Security Validation Matters Now

After years of battling ransomware and financially motivated threats, security teams must now increase their focus to defend against digital destruction. Iranian-backed Handala Hack highlighted the growing threat with its claimed attacks against a U.S.-based medical equipment maker, with reports of widespread deletion of data