Fox Kitten Strikes Again?
Law enforcement and intelligence agencies in the U.S, the U.K. and Australia have issued a joint advisory on unidentified Iran government-backed advanced persistent threat (APT) actors exploiting Fortinet and Microsoft Exchange ProxyShell vulnerabilities to attack organizations in their respective countries.
Attributing the attacks to a specific APT group is inherently challenging, but a senior cyber threat intelligence analyst has pointed out that Iran-based Fox Kitten APT group has exploited vulnerabilities like this in the past.
The APT actors, the advisory says, do not target specific sectors. Instead, their victims range across U.S. critical infrastructure sectors, including transportation and healthcare.
Fortinet Vulnerabilities Exploited
The Iranian government-sponsored APT actors scanned devices on ports 4443, 8443 and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379 and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591, the alert says. The agencies believe that the APT groups likely exploited these flaws to gain access to vulnerable networks.
The FBI advises users of vulnerable Fortinet products to immediately patch the flaws to prevent attacks.
Microsoft Exchange Flaw Exploited
In October 2021, the APT actors introduced Microsoft into the mix. They leveraged Microsoft Exchange ProxyShell vulnerability CVE-2021-34473 to obtain initial access to systems and leverage them for follow-on operations.
These recent exploits capitalize on issues that have been known for months. The Exchange Powershell vulnerabilities CVE2021-34473 were identified in April and May of 2021, with patches available from July. The first version of Fortinet FortiOS that is not vulnerable to CVE2018-13379 has been available since May 2019.
Tactics and Techniques
The APT groups tracked by the law enforcement agencies use tools such as Mimikatz for credential theft, WinPEAS for privilege escalation, SharpWMI to provide Windows Management Instrumentation functionality, WinRAR for archiving collected data, and FileZilla for transferring files, the advisory says. The advisory says the usernames “support, help, elie, WADGUtilityAccount, exfiltration” have been associated with the activity.
A Tuesday note by the Microsoft Threat Intelligence Center details how the tools, techniques and procedures employed by malicious network operators based in Iran have evolved. Some notable trends include:
- An increase in the use of ransomware to collect funds or disrupt targets
- Increased patience and persistence while engaging with targets and while conducting social engineering campaigns
- Continued deployment of aggressive brute force attacks
The law enforcement agencies recommend that organizations using Microsoft Exchange servers and Fortinet investigate potential suspicious activity in their networks to search for IOCs in network and host artifacts.
- Investigate exposed Microsoft Exchange servers — both patched and unpatched — for compromise
- Look for changes in remote desktop protocol, firewall and Windows Remote Management configurations that may allow attackers to maintain persistent access
- Review domain controllers, servers, workstations and active directories for new or unrecognized user accounts and Windows Task Scheduler for unrecognized scheduled tasks
- Review antivirus logs for indications they were unexpectedly turned off and
- Look for WinRAR and FileZilla in unexpected locations
“The bottom line is that 99% of attacks leverage a vulnerability or misconfiguration first, then use this initial foothold to amplify the attack. Patching and fixing misconfigurations is the primary difference between proactive cybersecurity and reactive cybersecurity.
The agencies recommend the following risk mitigation steps:
- Immediately patch software affected by the vulnerabilities identified in this advisory: CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
- Regularly back up data and password protect those backup copies.
- Implement network segmentation and have an effective recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location – such as a hard drive, a storage device or in the cloud.
- Disable unused remote access or remote desktop protocol ports, and monitor these tools.
- Audit user accounts with administrative privileges and configure access controls with the least privilege in mind.
If you have questions about IT security and how to protect your organization, call ITPAC today.