Iranian Hackers Exploiting Microsoft, Fortinet Flaws (19th November 2021)

Ref# AL2021_45 | Date: Nov 19th 2021

 On Wednesday, cybersecurity agencies from Australia, the United Kingdom, and the United States jointly announced an advisory warning of active exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities by Iranian state- sponsored actors to obtain initial access to vulnerable systems for follow-on activities such as data exfiltration and ransomware.


According to the US Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), and the United Kingdom”s National Cyber Security Centre, the threat actor is believed to have exploited multiple Fortinet FortiOS vulnerabilities dating back to March 2021, as well as a remote code execution flaw affecting Microsoft Exchange Servers since October 2021.

The operations were not credited to a specific advanced persistent threat (APT) actor, according to the agencies.

Victims include Australian organizations as well as a diverse range of entities from a variety of critical infrastructure sectors in the United States, including transportation and healthcare. The flaws that are being exploited are listed below:

  • CVE-2021-34473 (CVSS score: 9.1) – Microsoft Exchange Server remote code execution vulnerability (aka “ProxyShell“)

  • CVE-2020-12812 (CVSS score: 9.8) – FortiOS SSL VPN 2FA bypass by changing username case

  • CVE-2019-5591 (CVSS score: 6.5) – FortiGate default configuration does not verify the LDAP server identity

  • CVE-2018-13379 (CVSS score: 9.8) – FortiOS system file
    through SSL VPN via specially crafted HTTP resource requests

How it works

Phosphorus (aka Charming Kitten or APT35) is a threat actor that has been discovered scanning IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers to gain initial access and persistence

on vulnerable networks before moving on to deploy additional payloads that allow the actors to pivot to other machines and deploy ransomware.

Another strategy used in the playbook is to use a network of fictitious social media accounts, including posing as attractive women, to gain trust from targets over time and then deliver malware-laced documents that allow data exfiltration from victim systems. Phosphorus and a second threat actor are known as Curium have both been observed utilizing such “patient” social engineering methods to compromise their targets.

“Over time, the threat actors build a relationship with prospective users by having constant and continuous communications, which allows them to build trust and confidence with the target,” MSTIC researchers said. In many of the cases we”ve seen, the targets genuinely believed they were interacting with a human being rather than a threat actor operating out of Iran.”

A third characteristic is the use of password spray attacks to attack Office 365 tenants in the United States, Europe, and Israel, which Microsoft announced last month while attributing to an emerging threat cluster DEV-0343.

The hacker groups have displayed the capability to adapt and shape-shift based on their strategic goals and tradecraft, developing into “more proficient threat actors” competent in disruption and information operations by carrying out a range of attacks such as cyber espionage, phishing and password spraying attacks, employing mobile malware, wipers, and ransomware, and even carrying out supply chain attacks.

In addition to exploiting the ProxyShell flaw to gain access to vulnerable networks, CISA said the adversary used a Fortigate appliance in May 2021 to gain access to a web server hosting the domain for a U.S. municipal government. The following month, the APT actors “used a Fortigate appliance to gain access to environmental control networks associated with a U.S.-based hospital specializing in pediatric healthcare,” according to the advisory.

This is the second time the US government has issued warnings about advanced persistent threat groups targeting Fortinet FortiOS servers by exploiting CVE- 2018-13379, CVE-2020-12812, and CVE-2019-5591 to compromise systems belonging to commercial and government enterprises.


At this moment there is no fixed patch to remedy this new vulnerability. However, Microsoft and Fortinet users should ensure their cybersecurity experts implement the following security measures:

  • The organization should immediately patch software that is affected by the aforementioned vulnerability.

  • Data backup should be enforced along with restoration procedures.

  • The use of implementation of network segmentation

  • Ensure accounts are secure with multi-factor authentication.

  • Patch all operating systems, software, and firmware when updates become


    The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
    PDF Download: Iranian Hackers Exploiting Microsoft Fortinet Flaws.pdf