UNC1549, a suspected Iran-linked espionage group, has been seen targeting organizations in the aerospace, aviation, and defense sectors using vulnerabilities in Microsoft Exchange Server.
The following software vulnerabilities have been observed in use during the UNC1549 campaigns:
CVE-2020-0688 is a remote code execution (RCE) vulnerability in Microsoft Exchange Server which allows an authenticated attacker to run arbitrary code as SYSTEM on the Exchange server.
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Microsoft Exchange Server which allows an unauthenticated attacker to execute arbitrary commands on the Exchange server.
FortiGuard Outbreak Alert: Microsoft Exchange Server Remote Code Execution - CVE-2020-0688
Attack: Exploitation
T1190 - Exploit Public-Facing Application
FortiGuard Outbreak Alert: Microsoft Exchange Server Remote Code Execution - CVE-2021-26855
Attack: Exploitation
T1190 - Exploit Public-Facing Application
Playbook
N/A
Threat Hunting
FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “UNC1549 Critical Infrastructure Espionage Attack” related activities. IOC source: UNC1549 Critical Infrastructure Espionage Attack | Indicator of Compromise All IOCs relating to "UNC1549 Critical Infrastructure Espionage Attack" have been added to Threat Intelligence Intel.
Suricata Coverage
Customers can create custom investigation/detections using the Suricata signatures below: 2029540 -> ET WEB_SPECIFIC_APPS Possible Attempted Microsoft Exchange RCE (CVE-2020-0688)
