Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities.
Observed activity includes the following:

• FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591.
  The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks.

• Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government.
  The actors likely created an account with the username elie to further enable malicious activity.

• APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children.
  The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20-which FBI and CISA judge are associated with Iranian government cyber activity-to further enable malicious activity against the hospital's network.
  The APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity.

• These APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability-CVE-2021-34473-to gain initial access to systems in advance of follow-on operations.