New: Threat Exposure Validation Impact Report 2025
Learn More
Join our Summer Webinar Series on Threat Exposure Validation
Register Now
Meet the team at Infosecurity Europe 2025
Book a Meeting

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

November 18, 2021

FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities.
Observed activity includes the following:

  • FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591.
    The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks.
  • Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government.
    The actors likely created an account with the username elie to further enable malicious activity.
  • APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children.
    The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20-which FBI and CISA judge are associated with Iranian government cyber activity-to further enable malicious activity against the hospital's network.
    The APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity.
  • These APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability-CVE-2021-34473-to gain initial access to systems in advance of follow-on operations.