AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated Attacks

AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated Attacks

Several global cybersecurity agencies publish a joint advisory detailing efforts by Iranian-government sponsored threat actors exploiting vulnerabilities to enable ransomware attacks.

Background

On September 14, the Cybersecurity and Infrastructure Security Agency along with the National Security Agency, U.S. Cyber Command, Cyber National Mission Force, the Department of the Treasury, the Australian Cybersecurity Centre, the Canadian Centre for Cyber Security, and the U.K’s National Cyber Security Centre published a joint cybersecurity advisory (AA22-257A) detailing malicious activity linked to advanced persistent threat (APT) actors affiliated with Iranian’s Islamic Revolutionary Guard Corps (IRGC).

Analysis

This advisory builds on a previous joint cybersecurity advisory (AA21-321A) published in November 2021. In this new joint cybersecurity advisory, the agencies highlight several vulnerabilities used by the IRGC-affiliated APT actors to gain initial access to targeted entities from Log4Shell and associated vulnerabilities to ProxyShell and Fortinet flaws:

CVE
Description
CVSSv3
VPR
CVE-2021-44228
Apache Log4j2 Remote Code Execution (RCE)
10.0
10.0
CVE-2021-45046
Apache Log4j2 Denial of Service (DoS) and RCE
9.0
9.2
CVE-2021-45105
Apache Log4j2 DoS
5.9
6.7
CVE-2021-34473
Microsoft Exchange Server RCE (ProxyShell)
9.8
9.7
CVE-2021-34523
Microsoft Exchange Server Elevation of Privilege (EoP) (ProxyShell)
9.8
9.2
CVE-2021-31207
Microsoft Exchange Server Security Feature Bypass (ProxyShell)
7.2
9.2
CVE-2018-13379
Fortinet FortiOS Path Traversal/Arbitrary File Read
9.8
10.0
CVE-2019-5591
Fortinet FortiOS Default Configuration
6.5
8.7
CVE-2020-12812
Fortinet FortiOS Improper Authentication
9.8
10.0

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on September 15 and reflects VPR at that time.

Additional Exchange Server vulnerabilities highlighted in advisory

In addition to the nine vulnerabilities listed above, the advisory also includes the following Microsoft Exchange Server vulnerabilities “as a precaution” because the agencies that authored this advisory “have seen the actors broadly target Microsoft Exchange servers.” However, there are no confirmed reports that these vulnerabilities were exploited in any IRGC-affiliated attacks:

CVE
Description
CVSSv3
VPR
CVE-2021-31196
Microsoft Exchange Server RCE (ProxyOracle)
7.2
9.2
CVE-2021-31206
Microsoft Exchange Server RCE
8.0
8.4
CVE-2021-33768
Microsoft Exchange Server EoP
8.0
9.2
CVE-2021-33766
Microsoft Exchange Server Information Disclosure (ProxyToken)
7.5
7.7
CVE-2021-34470
Microsoft Exchange Server EoP
8.0
9.0

While not mentioned explicitly in the advisory, we believe that organizations should also ensure they’ve applied patches for ProxyLogon and associated vulnerabilities, which preceded ProxyShell and may still be leveraged in attacks against Microsoft Exchange Servers:

CVE
Description
CVSSv3
VPR
CVE-2021-26855
Microsoft Exchange Server (ProxyLogon)
9.8
9.8
CVE-2021-26857
Microsoft Exchange Server Insecure Deserialization
7.8
7.4
CVE-2021-26858
Microsoft Exchange Server Arbitrary File Write
7.8
7.4
CVE-2021-27065
Microsoft Exchange Server Arbitrary File Write
7.8
9.8

Organizations should also keep VMware products up-to-date

Outside of Microsoft Exchange Server, the advisory also notes that organizations should review recent advisories from VMware regarding critical vulnerabilities. The advisory does not mention any CVEs in particular. However, we believe the following CVEs, which have been exploited in the wild in the past, are vulnerabilities of concern:

CVE
Description
CVSSv3
VPR
CVE-2021-21972
VMware vSphere Client RCE
9.8
8.4
CVE-2021-21985
VMware vSphere Client RCE
9.8
7.4
CVE-2021-22005
VMware vSphere Client RCE
9.8
7.4

Ransomware and extortion are the end-game for these attacks

The advisory notes that the IRGC-affiliated APT actors are leveraging these flaws to gain initial access to organizations in order to conduct “follow-on operations” that include both data exfiltration and encryption, which are key elements of ransomware and extortion-related attacks. Ransomware remains the greatest threat to global organizations today, as outlined in our Ransomware Ecosystem report. Many of the vulnerabilities referenced in the report overlap with the flaws mentioned in this joint cybersecurity advisory.

Legacy vulnerabilities continue to pose risk to organizations across the globe

From average cybercriminals and ransomware affiliates to threat actors with ties to APT groups, unpatched systems provide attackers with a reliable set of vulnerabilities that they can use to gain initial access into targeted networks globally. The advisory specifically details the fact that these threat actors are “exploiting known vulnerabilities on unprotected networks” and not “targeting specific targeted entities or sectors.”

We strongly recommend all organizations review the vulnerabilities identified in this advisory and apply patches as soon as possible, because whether it’s the IRGC-affiliated actors or ransomware affiliates, these vulnerabilities will continue to be leveraged for the foreseeable future.

The advisory also explicitly calls upon critical infrastructure organizations in particular to review and apply the recommended mitigations.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here. This link uses a search filter to ensure that all matching plugin coverage will appear for the vulnerabilities referenced in this post.

Additionally, Tenable customers can utilize various scan templates that have been created for Log4Shell, including our Log4Shell Vulnerability Ecosystem scan template, ProxyLogon scan template, as well as our Ransomware Ecosystem scan template, which contains nearly 80 CVEs for vulnerabilities used in ransomware attacks.

Get more information

AA22-257A: Joint Cybersecurity Advisory on IRGC-Affiliated Attacks Linked to Ransomware Operations
AA21-321A: Joint Cybersecurity Advisory on Iranian Gov’t Sponsored APT Groups Exploiting Exchange and Fortinet Vulnerabilities

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

 Several global cybersecurity agencies publish a joint advisory detailing efforts by Iranian-government sponsored threat actors exploiting vulnerabilities to enable ransomware attacks.

Background

On September 14, the Cybersecurity and Infrastructure Security Agency along with the National Security Agency, U.S. Cyber Command, Cyber National Mission Force, the Department of the Treasury, the Australian Cybersecurity Centre, the Canadian Centre for Cyber Security, and the U.K’s National Cyber Security Centre published a joint cybersecurity advisory (AA22-257A) detailing malicious activity linked to advanced persistent threat (APT) actors affiliated with Iranian’s Islamic Revolutionary Guard Corps (IRGC).

Analysis

This advisory builds on a previous joint cybersecurity advisory (AA21-321A) published in November 2021. In this new joint cybersecurity advisory, the agencies highlight several vulnerabilities used by the IRGC-affiliated APT actors to gain initial access to targeted entities from Log4Shell and associated vulnerabilities to ProxyShell and Fortinet flaws:

CVE
Description
CVSSv3
VPR
CVE-2021-44228
Apache Log4j2 Remote Code Execution (RCE)
10.0
10.0
CVE-2021-45046
Apache Log4j2 Denial of Service (DoS) and RCE
9.0
9.2
CVE-2021-45105
Apache Log4j2 DoS
5.9
6.7
CVE-2021-34473
Microsoft Exchange Server RCE (ProxyShell)
9.8
9.7
CVE-2021-34523
Microsoft Exchange Server Elevation of Privilege (EoP) (ProxyShell)
9.8
9.2
CVE-2021-31207
Microsoft Exchange Server Security Feature Bypass (ProxyShell)
7.2
9.2
CVE-2018-13379
Fortinet FortiOS Path Traversal/Arbitrary File Read
9.8
10.0
CVE-2019-5591
Fortinet FortiOS Default Configuration
6.5
8.7
CVE-2020-12812
Fortinet FortiOS Improper Authentication
9.8
10.0

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on September 15 and reflects VPR at that time.

Additional Exchange Server vulnerabilities highlighted in advisory

In addition to the nine vulnerabilities listed above, the advisory also includes the following Microsoft Exchange Server vulnerabilities “as a precaution” because the agencies that authored this advisory “have seen the actors broadly target Microsoft Exchange servers.” However, there are no confirmed reports that these vulnerabilities were exploited in any IRGC-affiliated attacks:

CVE
Description
CVSSv3
VPR
CVE-2021-31196
Microsoft Exchange Server RCE (ProxyOracle)
7.2
9.2
CVE-2021-31206
Microsoft Exchange Server RCE
8.0
8.4
CVE-2021-33768
Microsoft Exchange Server EoP
8.0
9.2
CVE-2021-33766
Microsoft Exchange Server Information Disclosure (ProxyToken)
7.5
7.7
CVE-2021-34470
Microsoft Exchange Server EoP
8.0
9.0

While not mentioned explicitly in the advisory, we believe that organizations should also ensure they’ve applied patches for ProxyLogon and associated vulnerabilities, which preceded ProxyShell and may still be leveraged in attacks against Microsoft Exchange Servers:

CVE
Description
CVSSv3
VPR
CVE-2021-26855
Microsoft Exchange Server (ProxyLogon)
9.8
9.8
CVE-2021-26857
Microsoft Exchange Server Insecure Deserialization
7.8
7.4
CVE-2021-26858
Microsoft Exchange Server Arbitrary File Write
7.8
7.4
CVE-2021-27065
Microsoft Exchange Server Arbitrary File Write
7.8
9.8

Organizations should also keep VMware products up-to-date

Outside of Microsoft Exchange Server, the advisory also notes that organizations should review recent advisories from VMware regarding critical vulnerabilities. The advisory does not mention any CVEs in particular. However, we believe the following CVEs, which have been exploited in the wild in the past, are vulnerabilities of concern:

CVE
Description
CVSSv3
VPR
CVE-2021-21972
VMware vSphere Client RCE
9.8
8.4
CVE-2021-21985
VMware vSphere Client RCE
9.8
7.4
CVE-2021-22005
VMware vSphere Client RCE
9.8
7.4

Ransomware and extortion are the end-game for these attacks

The advisory notes that the IRGC-affiliated APT actors are leveraging these flaws to gain initial access to organizations in order to conduct “follow-on operations” that include both data exfiltration and encryption, which are key elements of ransomware and extortion-related attacks. Ransomware remains the greatest threat to global organizations today, as outlined in our Ransomware Ecosystem report. Many of the vulnerabilities referenced in the report overlap with the flaws mentioned in this joint cybersecurity advisory.

Legacy vulnerabilities continue to pose risk to organizations across the globe

From average cybercriminals and ransomware affiliates to threat actors with ties to APT groups, unpatched systems provide attackers with a reliable set of vulnerabilities that they can use to gain initial access into targeted networks globally. The advisory specifically details the fact that these threat actors are “exploiting known vulnerabilities on unprotected networks” and not “targeting specific targeted entities or sectors.”

We strongly recommend all organizations review the vulnerabilities identified in this advisory and apply patches as soon as possible, because whether it’s the IRGC-affiliated actors or ransomware affiliates, these vulnerabilities will continue to be leveraged for the foreseeable future.

The advisory also explicitly calls upon critical infrastructure organizations in particular to review and apply the recommended mitigations.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here. This link uses a search filter to ensure that all matching plugin coverage will appear for the vulnerabilities referenced in this post.

Additionally, Tenable customers can utilize various scan templates that have been created for Log4Shell, including our Log4Shell Vulnerability Ecosystem scan template, ProxyLogon scan template, as well as our Ransomware Ecosystem scan template, which contains nearly 80 CVEs for vulnerabilities used in ransomware attacks.

Get more information

AA22-257A: Joint Cybersecurity Advisory on IRGC-Affiliated Attacks Linked to Ransomware Operations
AA21-321A: Joint Cybersecurity Advisory on Iranian Gov’t Sponsored APT Groups Exploiting Exchange and Fortinet Vulnerabilities
Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management. 

​Cyber Exposure Alerts Read More 

More To Explore

We can help improve your Business

Ensure your Organization Assets are well  protected in front of the Cyber Attacks

Delivery Workflow

Register for Free and get your test done withn 24 to 48 hours

See Workflow

Sample Report

Here is a sample report of a Security Testing Engagement

See Sample Report PDF

Work Request

Order your security test and Get Your Report

Get Your Test Report
Generated by Feedzy

1. Client Onboarding

Access to all of Cyber Legion's services is provided through the Web Secure Client Portal. To create a Free account, you can sign up through the portal, or contact the Cyber Legion team and they will set up an account for you.

2. NDA , Agreements & Digital Signature

The integration of Digital Signature in our Web Client Portal allows us to legally sign all necessary documents and agreements, enabling us to carry out security assessments on targeted systems.

3. Submit Work Request

Our pricing structure is adaptable to meet the needs of all clients. By filling out the Work Request Form, you can select from pre-existing services or request a personalized proposal.

The Cyber Legion team will acknowledge your order, set up a project in your account, and proceed with the testing and delivery.

4. Security Testing & Report

We meet agreed upon SLAs and follow security testing framework checklists. Based on our commitment, our team of engineers will utilize all of our tools, automation, and testing capabilities to achieve the objectives.

Within the agreed upon timeframe, you will receive a report on the security test that was conducted, including the results, recommendations, and references for addressing any identified issues.

5. Retesting & Validation of Remediation

We not only identify potential threats, risks, and vulnerabilities, but also provide detailed recommendations for resolution. To ensure complete remediation, we offer complimentary retesting and a range of ongoing security testing options for continued vulnerability detection and verification.