Governments Warn Iran Is Targeting Microsoft and Fortinet Flaws to Plant Ransomware

Oleksandr Hruts/

A warning from allied cybersecurity agencies coincides with the Cybersecurity and Infrastructure Security Agency’s recent order for agencies to patch a range of vulnerabilities.

The cybersecurity agencies of the U.S., U.K. and Australia are urging critical infrastructure organizations to patch vulnerabilities in Microsoft and Fortinet products that they say hackers associated with Iran use in ransomware attacks. 

“FBI and CISA have observed this Iranian government-sponsored [advanced persistent threat] group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware,” reads an advisory the agencies jointly issued Wednesday.

Iran’s cyber activity has previously been more closely tied to regional power plays and its geopolitical objectives. Officials expected espionage operations and were bracing for a retaliatory attack after the Trump administration pulled out of a nuclear agreement brokered by President Barack Obama and assassinated a top Iranian general, for example. But last September, the FBI and CISA warned that Iran would likely start using their capabilities to improve its financial situation through ransomware operations.  

The new joint advisory is also coming as the Biden administration implements a strategy of global cross-agency collaboration to combat ransomware. And Iran was on the agenda during a recent trip Deputy Treasury Secretary Wally Adeyemo took to Israel toward that end.   

“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations,” the advisory reads. “FBI, CISA, [the Australian Cyber Security Centre]  and [the the United Kingdom’s National Cyber Security Centre] assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors.”

The Fortinet and Microsoft Exchange vulnerabilities flagged in the advisory are all listed in a catalog of hundreds of known vulnerabilities being actively exploited. CISA released the catalog exactly two weeks ago along with a binding operational directive and deadlines for patching them. 

The due date listed in the catalogue for patching the three Fortinet vulnerabilities is not till next May. The deadline listed for patching the Microsoft Exchange vulnerability is Nov. 17.

The joint advisory also details specific indicators of compromise for organizations to check their systems against. Victims may see new accounts created—including those that mimic real ones—especially in domain controllers, servers, workstations and active directories, for example. The threat actor may also have manipulated a Task Scheduler used for synchronizing time zones and managing Google Chrome and Microsoft Outlook updates and placed resources like WinRAR and FileZilla in strange locations to facilitate their data exfiltration.