CISA Issues Alert On Microsoft Exchange And Fortinet Vulnerabilities – RiverLog Analysis
In a recent disclosure by federal agencies across USA,FBI, CISA and UK, Microsoft Exchange Server vulnerabilities were exploited by Iranian adversaries. Federal Agencies said that they have observed the APT actors leveraged Microsoft Exchange and Fortinet vulnerabilities to target a large range of critical infrastructure. State sponsored attacks are on the rise in recent times said Steven S from the cybersecurity wing of RiverLog Software, a silicon valley based software company which has got branches across the globe. Given the geo-political situations gripping across the globe, state sponsored attacks are on the rise opined RiverLog. News agencies reported that the APT attackers from Iran were capitalizing on Microsoft exchange and Fortinet vulnerabilities. Alert (AA21-321A) issued by CISA, said that the alert was based on MITRE Adversarial tactics. The advisory issued by CISA talks about joint analysis and detection efforts of Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) that highlights ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. CISA further observed that the Fortinet attacks began since March 2021 and a Microsoft Exchange ProxyShell Vulnerability since October 2021. Australian Cyber Security Centre has reported that they have observed the APT attacks in Australia. Although attacks from Iranian APT actors are currently targeting critical infrastructure, given the client foot prints of Microsoft Exchange servers and Fortinet across organizations makes it not difficult to assess that attacks will assimilate across other areas too.
Out of the several tools used by the APT actors, FileZilla and WinRAR seems to be tools existing in abundance across organizations. Being free to use, these tools FileZilla and WinRAR are used by a large number of users. Attackers may have infiltrated systems through which new user accounts would have been created and thereby would have initiated outbound file transfers.
Although the attacks are observed currently within the western countries, with this knowledge of vulnerability and cybersecurity implementation in other emerging nations, a step behind implementations comparatively to western regions, it is not far a time that the attackers will now point to critical infrastructure and financial institutions of other nations. Given the knowledge of the flaw, other syndicates would have already begun their exploitation as we speak.
There are several ways to overcome these vulnerabilities. It is important that, if such systems are deployed within your organization, engage Network Security and IPSEC and/or ITOps resources in looking at existing deployments. To begin with, observe the access privileges and outbound file transfers to that extent, study the latest logins, modifications of active directories and such to name the bare bone activities.
The end goal of the attack obviously seems to be encryption of your systems leading to ransomware.
To have an incident response team within your organization is very critical. Know more from RiverLog Software about forming a strategic cybersecurity incident response team.
a. Forming an incident response team, Who should we involve and how. How responsive should it be? What documentation to use?
b. What kind of threat modeling should you be aware of ?
c. Should you do a cybersecurity audit and at what interval of time ?
d. Do you have alert system in place?
e. When was that you did your vulnerability assessment ?
RiverLog Software is a systems integration company based out of Silicon Valley, USA with branches across the globe. The company’s cybersecurity wing has attached probes through various web hooks, RSS feeds and manpower to know day to day happenings in the area of cybersecurity. They service on cybersecurity audit, vulnerability assessment, pen testing is designed for large and mid-range companies.
