{
	"id": "f5b5f202-d409-4948-ad70-4560297a9a29",
	"created_at": "2026-04-06T00:15:07.617207Z",
	"updated_at": "2026-04-10T03:21:32.527789Z",
	"deleted_at": null,
	"sha1_hash": "0cc8904fba6ea6c83b7d338aa693d48a34b1b401",
	"title": "Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 141041,
	"plain_text": "Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft\r\nExchange and Fortinet Vulnerabilities in Furtherance of Malicious\r\nActivities | CISA\r\nPublished: 2021-11-19 · Archived: 2026-04-05 17:07:43 UTC\r\nSummary\r\nActions to Take Today to Protect Against Iranian State-Sponsored Malicious Cyber Activity\r\n• Immediately patch software affected by the following vulnerabilities: CVE-2021-34473, 2018-13379, 2020-12812, and\r\n2019-5591.\r\n• Implement multi-factor authentication.\r\n• Use strong, unique passwords.v\r\nNote: this advisory uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) framework,\r\nversion 10. See the ATT\u0026CK for Enterprise for all referenced threat actor tactics and techniques.\r\nThis joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the\r\nCybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United\r\nKingdom’s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent\r\nthreat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have\r\nobserved this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a\r\nMicrosoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of\r\nfollow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same\r\nMicrosoft Exchange vulnerability in Australia.\r\nThe Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical\r\ninfrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian\r\norganizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than\r\ntargeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on\r\noperations, such as data exfiltration or encryption, ransomware, and extortion.\r\nThis advisory provides observed tactics and techniques, as well as indicators of compromise (IOCs) that FBI, CISA, ACSC,\r\nand NCSC assess are likely associated with this Iranian government-sponsored APT activity.\r\nThe FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the\r\nMitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.\r\nFor a downloadable copy of IOCs, see AA21-321A.stix.\r\nFor more information on Iranian government-sponsored malicious cyber activity, see us-cert.cisa.gov/Iran.\r\nClick here for a PDF version of this report.\r\nTechnical Details\r\nThreat Actor Activity\r\nSince at least March 2021, the FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft\r\nExchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in\r\nfurtherance of malicious activities. Observed activity includes the following.\r\nIn March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on\r\nports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379 , and enumerating devices for\r\nFortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591 . The Iranian Government-sponsored APT actors\r\nlikely exploited these vulnerabilities to gain access to vulnerable networks. Note: for previous FBI and CISA\r\nreporting on this activity, refer to Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial\r\nAccess for Future Attacks.\r\nIn May 2021, these Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver\r\nhosting the domain for a U.S. municipal government. The actors likely created an account with the username elie\r\nto further enable malicious activity. Note: for previous FBI reporting on this activity, refer to FBI FLASH: APT\r\nActors Exploiting Fortinet Vulnerabilities to Gain Initial Access for Malicious Activity.\r\nIn June 2021, these APT actors exploited a Fortigate appliance to access environmental control networks associated\r\nwith a U.S.-based hospital specializing in healthcare for children. The Iranian government-sponsored APT actors\r\nlikely leveraged a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20 —which FBI and CISA\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-321a\r\nPage 1 of 6\n\njudge are associated with Iranian government cyber activity—to further enable malicious activity against the\r\nhospital’s network. The APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70 ,\r\nwhich FBI and CISA judge is associated with government of Iran offensive cyber activity.\r\nAs of October 2021, these APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability— CVE-2021-\r\n34473 —to gain initial access to systems in advance of follow-on operations.\r\nACSC considers that this APT group has also used the same Microsoft Exchange vulnerability (CVE-2021-34473 ) in\r\nAustralia.\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nFBI, CISA, ACSC, and NCSC assess the following tactics and techniques are associated with this activity.\r\nResource Development [TA0042 ]\r\nThe APT actors have used the following malicious and legitimate tools [T1588.001 , T1588.002 ] for a variety of tactics\r\nacross the enterprise spectrum.\r\nMimikatz for credential theft [TA0006 ]\r\nWinPEAS for privilege escalation [TA0004 ]\r\nSharpWMI (Windows Management Instrumentation)\r\nWinRAR for archiving collected data [TA0009 , T1560.001 ]\r\nFileZilla for transferring files [TA0010 ]\r\nInitial Access [TA0001 ]\r\nThe Iranian government-sponsored APT actors gained initial access by exploiting vulnerabilities affecting Microsoft\r\nExchange servers (CVE-2021-34473) and Fortinet devices (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591)\r\n[T1190 ].\r\nExecution [TA0002 ]\r\nThe Iranian government-sponsored APT actors may have made modifications to the Task Scheduler [T1053.005 ]. These\r\nmodifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be\r\nassociated with this activity:\r\nSynchronizeTimeZone\r\nGoogleChangeManagement\r\nMicrosoftOutLookUpdater\r\nMicrosoftOutLookUpdateSchedule\r\nPersistence [TA0003 ]\r\nThe Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers,\r\nworkstations, and active directories [T1136.001 , T1136.002 ]. Some of these accounts appear to have been created to\r\nlook similar to other existing accounts on the network, so specific account names may vary per organization. In addition to\r\nunrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames\r\nmay be associated with this activity:\r\nSupport\r\nHelp\r\nelie\r\nWADGUtilityAccount\r\nExfiltration [TA0010 ]\r\nThe FBI and CISA observed outbound File Transfer Protocol (FTP) transfers over port 443.\r\nImpact [TA0040 ]\r\nThe APT actors forced BitLocker activation on host networks to encrypt data [T1486]. The corresponding threatening notes\r\nwere either sent to the victim or left on the victim network as a .txt file. The ransom notes included ransom demands and the\r\nfollowing contact information. \r\nsar_addr@protonmail[.]com\r\nWeAreHere@secmail[.]pro\r\nnosterrmann@mail[.]com\r\nnosterrmann@protonmail[.]com \r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-321a\r\nPage 2 of 6\n\nDetection\r\nThe FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange servers and Fortinet investigate\r\npotential suspicious activity in their networks. \r\nSearch for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. Note: refer to Appendix\r\nA for IOCs.\r\nInvestigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise.\r\nInvestigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM)\r\nconfigurations that may allow attackers to maintain persistent access.\r\nReview domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.\r\nReview Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system defined or\r\nrecognized scheduled tasks for unrecognized “actions” (for example, review the steps each scheduled task is\r\nexpected to perform).\r\nReview antivirus logs for indications they were unexpectedly turned off.\r\nLook for WinRAR and FileZilla in unexpected locations. \r\nNote: for additional approaches on uncovering malicious cyber activity, see joint advisory Technical Approaches to\r\nUncovering and Remediating Malicious Activity, authored by CISA and the cybersecurity authorities of Australia, Canada,\r\nNew Zealand, and the United Kingdom. \r\nMitigations\r\nThe FBI, CISA, ACSC, and NCSC urge network defenders to apply the following mitigations to reduce the risk of\r\ncompromise by this threat.\r\nPatch and Update Systems\r\nInstall updates/patch operating systems, software, and firmware as soon as updates/patches are released.\r\nImmediately patch software affected by vulnerabilities identified in this advisory: CVE-2021-34473, CVE-2018-\r\n13379, CVE-2020-12812, and CVE-2019-5591.\r\nEvaluate and Update Blocklists and Allowlists\r\nRegularly evaluate and update blocklists and allowlists.\r\nIf FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization’s\r\nexecution blocklist. Any attempts to install or run this program and its associated files should be prevented.\r\nImplement and Enforce Backup and Restoration Policies and Procedures\r\nRegularly back up data, air gap, and password protect backup copies offline.\r\nEnsure copies of critical data are not accessible for modification or deletion from the system where the data resides.\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a\r\nphysically separate, segmented, secure location (e.g., hard drive, storage device, the cloud). \r\nImplement Network Segmentation\r\nImplement network segmentation to restrict adversary’s lateral movement. \r\nSecure User Accounts\r\nAudit user accounts with administrative privileges and configure access controls under the principles of least\r\nprivilege and separation of duties.\r\nRequire administrator credentials to install software. \r\nImplement Multi-Factor Authentication\r\nUse multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), and\r\naccounts that access critical systems. \r\nUse Strong Passwords\r\nRequire all accounts with password logins to have strong, unique passwords.\r\nSecure and Monitor RDP and other Potentially Risky Services\r\nIf you use RDP, restrict it to limit access to resources over internal networks.\r\nDisable unused remote access/RDP ports.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-321a\r\nPage 3 of 6\n\nMonitor remote access/RDP logs. \r\nUse Antivirus Programs\r\nInstall and regularly update antivirus and anti-malware software on all hosts. \r\nSecure Remote Access\r\nOnly use secure networks and avoid using public Wi-Fi networks.\r\nConsider installing and using a VPN for remote access.\r\nReduce Risk of Phishing\r\nConsider adding an email banner to emails received from outside your organization.\r\nDisable hyperlinks in received emails\r\nResources\r\nFor more information on Iranian government-sponsored malicious cyber activity, see us-cert.cisa.gov/Iran.\r\nFor information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a\r\ncentralized, whole-of-government webpage providing ransomware resources and alerts.\r\nThe joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and\r\nthe United States: Technical Approaches to Uncovering and Remediating Malicious Activity provides additional\r\nguidance when hunting or investigating a network and common mistakes to avoid in incident handling.\r\nCISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and\r\nreduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could\r\nfind ways to reduce their risk and mitigate attack vectors.\r\nThe U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of\r\nforeign government malicious activity against U.S. critical infrastructure. See the RFJ website for more\r\ninformation and how to report information securely.\r\nACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at\r\ncyber.gov.au and via 1300 292 371 (1300 CYBER1).\r\nAppendix A: Indicators of Compromise\r\nIP addresses and executables files are listed below. For a downloadable copy of IOCs, see AA21-321A.stix.\r\nIP Addresses\r\n91.214.124[.]143\r\n162.55.137[.]20\r\n154.16.192[.]70\r\nExecutable Files \r\nExecutable files observed in this activity are identified in table 1.\r\nTable 1: Executable Files \r\nFilename: MicrosoftOutLookUpdater[.]exe \r\nMD5: 1444884faed804667d8c2bfa0d63ab13\r\nSHA-1: 95E045446EFB8C9983EBFD85E39B4BE5D92C7A2A\r\nSHA-256: c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624\r\nSHA-512: 6451077B99C5F8ECC5C0CA88FE272156296BEB91218B39AE28A086DBA5E7E39813F044F9AF0FEDBB260941B1CD52FA237\r\nFilename: MicrosoftOutlookUpdater.bat\r\nMD5: 1A44368EB5BF68688BA4B4357BDC874F\r\nSHA-1 FA36FEBFD5A5CA0B3A1B19005B952683A7188A13\r\nSHA-256 3A08D0CB0FF4D95ED0896F22F4DA8755525C243C457BA6273E08453E0E3AC4C4\r\nSHA-512 70AA89449EB5DA1D84B70D114EF9D24CB74751CE12D12C783251E51775C89FDCE61B4265B43B1D613114D6A85E9C75927\r\nFilename: MicrosoftOutlookUpdater.xml\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-321a\r\nPage 4 of 6\n\nFilename: MicrosoftOutLookUpdater[.]exe \r\nMD5: AA40C49E309959FA04B7E5AC111BB770\r\nSHA-1 F1D90E10E6E3654654E0A677763C9767C913F8F0\r\nSHA-256 5C818FE43F05F4773AD20E0862280B0D5C66611BB12459A08442F55F148400A6\r\nSHA-512 E55A86159F2E869DCDB64FDC730DA893718E20D65A04071770BD32CAE75FF8C34704BDF9F72EF055A3B362759EDE3682B\r\nFilename: GoogleChangeManagement.xml\r\nMD5: AF2D86042602CBBDCC7F1E8EFA6423F9\r\nSHA-1 CDCD97F946B78831A9B88B0A5CD785288DC603C1\r\nSHA-256 4C691CCD811B868D1934B4B8E9ED6D5DB85EF35504F85D860E8FD84C547EBF1D\r\nSHA-512 6473DAC67B75194DEEAEF37103BBA17936F6C16FFCD2A7345A5A46756996FAD748A97F36F8FD4BE4E1F264ECE313773CC\r\nFilename: Connector3.exe\r\nMD5: e64064f76e59dea46a0768993697ef2f\r\nFilename: Audio.exe or frpc.exe\r\nMD5: b90f05b5e705e0b0cb47f51b985f84db\r\nSHA-1 5bd0690247dc1e446916800af169270f100d089b\r\nSHA-256: 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa\r\nVhash: 017067555d5d15541az28!z\r\nAuthentihash: ed463da90504f3adb43ab82044cddab8922ba029511da9ad5a52b8c20bda65ee\r\nImphash: 93a138801d9601e4c36e6274c8b9d111\r\nSSDEEP: 98304:MeOuFco2Aate8mjOaFEKC8KZ1F4ANWyJXf/X+g4:MeHFV2AatevjOaDC8KZ1xNWy93U\r\nNote:\r\nIdentical to “frpc.exe” available at:\r\nhttps://github[.]com/fatedier/frp/releases/download/v0.34.3/frp_0.34.3_windows_amd64.zip\r\nFilename: Frps.exe\r\nMD5: 26f330dadcdd717ef575aa5bfcdbe76a\r\nSHA-1 c4160aa55d092cf916a98f3b3ee8b940f2755053\r\nSHA-256: d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a\r\nVhash: 017057555d6d141az25!z\r\nAuthentihash: 40ed1568fef4c5f9d03c370b2b9b06a3d0bd32caca1850f509223b3cee2225ea\r\nImphash: 91802a615b3a5c4bcc05bc5f66a5b219\r\nSSDEEP: 196608:/qTLyGAlLrOt8enYfrhkhBnfY0NIPvoOQiE:GLHiLrSfY5voO\r\nNote:\r\nIdentical to “frps.exe” available at: \r\nhttps://github[.]com/fatedier/frp/releases/download/v0.33.0/frp_0.33.0_windows_amd64.zip\r\nAPPENDIX B: MITRE ATT\u0026CK TACTICS AND TECHNIQUES\r\nTable 2 identifies MITRE ATT\u0026CK Tactics and techniques observed in this activity.\r\nTable 2: Observed Tactics and Techniques\r\nTactic Technique\r\nResource Development [TA0042 ] Obtain Capabilities: Malware [T1588.001 ]\r\nObtain Capabilities: Tool [T1588.002 ]  \r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-321a\r\nPage 5 of 6\n\nTactic Technique\r\nInitial Access [TA0001 ] Exploit Public-Facing Application [T1190 ]\r\nExecution [TA0002 ] Scheduled Task/Job: Scheduled Task [T1053.005 ]\r\nPersistence [TA0003 ] Create Account: Local Account [T1136.001 ]\r\nCreate Account: Domain Account [T1136.002 ]  \r\nPrivilege Escalation [TA0004 ]  \r\nCredential Access [TA0006 ]  \r\nCollection [TA0009 ] Archive Collected Data: Archive via Utility [T1560.001 ]\r\nExfiltration [TA0010 ]  \r\nImpact [TA0040 ] Data Encrypted for Impact [T1486 ]\r\nContact Information\r\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact your local\r\nFBI field office at https://www.fbi.gov/contact-us/field-offices, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937\r\nor by e-mail at CyWatch@fbi.gov . When available, please include the following information regarding the incident: date,\r\ntime, and location of the incident; type of activity; number of people affected; type of equipment used for the activity; the\r\nname of the submitting company or organization; and a designated point of contact. To request incident response resources\r\nor technical assistance related to these threats, contact CISA at Central@cisa.dhs.gov . Australian organizations can visit\r\ncyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.\r\nRevisions\r\nNovember 17, 2021: Initial Version|November 19, 2021: Added STIX files\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa21-321a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-321a\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://us-cert.cisa.gov/ncas/alerts/aa21-321a"
	],
	"report_names": [
		"aa21-321a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434507,
	"ts_updated_at": 1775791292,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0cc8904fba6ea6c83b7d338aa693d48a34b1b401.pdf",
		"text": "https://archive.orkl.eu/0cc8904fba6ea6c83b7d338aa693d48a34b1b401.txt",
		"img": "https://archive.orkl.eu/0cc8904fba6ea6c83b7d338aa693d48a34b1b401.jpg"
	}
}