Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

AA22-257A: Cybersecurity Agencies Issue Joint Advisory on Iranian Islamic Revolutionary Guard Corps-Affiliated Attacks

Tenable Cyber Exposure Alert for New Joint Cybersecurity Advisory AA22-257A

Several global cybersecurity agencies publish a joint advisory detailing efforts by Iranian-government sponsored threat actors exploiting vulnerabilities to enable ransomware attacks.

Background

On September 14, the Cybersecurity and Infrastructure Security Agency along with the National Security Agency, U.S. Cyber Command, Cyber National Mission Force, the Department of the Treasury, the Australian Cybersecurity Centre, the Canadian Centre for Cyber Security, and the U.K’s National Cyber Security Centre published a joint cybersecurity advisory (AA22-257A) detailing malicious activity linked to advanced persistent threat (APT) actors affiliated with Iranian’s Islamic Revolutionary Guard Corps (IRGC).

Analysis

This advisory builds on a previous joint cybersecurity advisory (AA21-321A) published in November 2021. In this new joint cybersecurity advisory, the agencies highlight several vulnerabilities used by the IRGC-affiliated APT actors to gain initial access to targeted entities from Log4Shell and associated vulnerabilities to ProxyShell and Fortinet flaws:

CVE Description CVSSv3 VPR
CVE-2021-44228 Apache Log4j2 Remote Code Execution (RCE) 10.0 10.0
CVE-2021-45046 Apache Log4j2 Denial of Service (DoS) and RCE 9.0 9.2
CVE-2021-45105 Apache Log4j2 DoS 5.9 6.7
CVE-2021-34473 Microsoft Exchange Server RCE (ProxyShell) 9.8 9.7
CVE-2021-34523 Microsoft Exchange Server Elevation of Privilege (EoP) (ProxyShell) 9.8 9.2
CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass (ProxyShell) 7.2 9.2
CVE-2018-13379 Fortinet FortiOS Path Traversal/Arbitrary File Read 9.8 10.0
CVE-2019-5591 Fortinet FortiOS Default Configuration 6.5 8.7
CVE-2020-12812 Fortinet FortiOS Improper Authentication 9.8 10.0

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on September 15 and reflects VPR at that time.

Additional Exchange Server vulnerabilities highlighted in advisory

In addition to the nine vulnerabilities listed above, the advisory also includes the following Microsoft Exchange Server vulnerabilities “as a precaution” because the agencies that authored this advisory “have seen the actors broadly target Microsoft Exchange servers.” However, there are no confirmed reports that these vulnerabilities were exploited in any IRGC-affiliated attacks:

CVE Description CVSSv3 VPR
CVE-2021-31196 Microsoft Exchange Server RCE (ProxyOracle) 7.2 9.2
CVE-2021-31206 Microsoft Exchange Server RCE 8.0 8.4
CVE-2021-33768 Microsoft Exchange Server EoP 8.0 9.2
CVE-2021-33766 Microsoft Exchange Server Information Disclosure (ProxyToken) 7.5 7.7
CVE-2021-34470 Microsoft Exchange Server EoP 8.0 9.0

While not mentioned explicitly in the advisory, we believe that organizations should also ensure they’ve applied patches for ProxyLogon and associated vulnerabilities, which preceded ProxyShell and may still be leveraged in attacks against Microsoft Exchange Servers:

CVE Description CVSSv3 VPR
CVE-2021-26855 Microsoft Exchange Server (ProxyLogon) 9.8 9.8
CVE-2021-26857 Microsoft Exchange Server Insecure Deserialization 7.8 7.4
CVE-2021-26858 Microsoft Exchange Server Arbitrary File Write 7.8 7.4
CVE-2021-27065 Microsoft Exchange Server Arbitrary File Write 7.8 9.8

Organizations should also keep VMware products up-to-date

Outside of Microsoft Exchange Server, the advisory also notes that organizations should review recent advisories from VMware regarding critical vulnerabilities. The advisory does not mention any CVEs in particular. However, we believe the following CVEs, which have been exploited in the wild in the past, are vulnerabilities of concern:

CVE Description CVSSv3 VPR
CVE-2021-21972 VMware vSphere Client RCE 9.8 8.4
CVE-2021-21985 VMware vSphere Client RCE 9.8 7.4
CVE-2021-22005 VMware vSphere Client RCE 9.8 7.4

Ransomware and extortion are the end-game for these attacks

The advisory notes that the IRGC-affiliated APT actors are leveraging these flaws to gain initial access to organizations in order to conduct “follow-on operations” that include both data exfiltration and encryption, which are key elements of ransomware and extortion-related attacks. Ransomware remains the greatest threat to global organizations today, as outlined in our Ransomware Ecosystem report. Many of the vulnerabilities referenced in the report overlap with the flaws mentioned in this joint cybersecurity advisory.

Legacy vulnerabilities continue to pose risk to organizations across the globe

From average cybercriminals and ransomware affiliates to threat actors with ties to APT groups, unpatched systems provide attackers with a reliable set of vulnerabilities that they can use to gain initial access into targeted networks globally. The advisory specifically details the fact that these threat actors are “exploiting known vulnerabilities on unprotected networks” and not “targeting specific targeted entities or sectors.”

We strongly recommend all organizations review the vulnerabilities identified in this advisory and apply patches as soon as possible, because whether it’s the IRGC-affiliated actors or ransomware affiliates, these vulnerabilities will continue to be leveraged for the foreseeable future.

The advisory also explicitly calls upon critical infrastructure organizations in particular to review and apply the recommended mitigations.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here. This link uses a search filter to ensure that all matching plugin coverage will appear for the vulnerabilities referenced in this post.

Additionally, Tenable customers can utilize various scan templates that have been created for Log4Shell, including our Log4Shell Vulnerability Ecosystem scan template, ProxyLogon scan template, as well as our Ransomware Ecosystem scan template, which contains nearly 80 CVEs for vulnerabilities used in ransomware attacks.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training