TTPs Used by the Iranian APT Exploiting Exchange and Fortinet Vulnerabilities

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


US CISA (Cybersecurity and Infrastructure Security Agency), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert (AA21-321A)  on November 17, 2021,  highlighting that ongoing malicious cyber activity by an advanced persistent threat (APT) group associated with the government of Iran. 

According to the alert, since at least March 2021, this Iranian government-sponsored APT group has exploited Fortinet FortiOS vulnerabilities (CVE-2020-12812CVE-2019-5591, and CVE-2018-13379) and a Microsoft Exchange ProxyShell vulnerability (CVE-2021-34473) to gain initial access to systems and deploy double-extortion ransomware. Therefore, this APT group is exfiltrating data in addition to encrypting files. The main target sector is the critical infrastructure sector, including transportation and public health.

In this blog, we analyzed tactics, techniques, and procedures utilized by this APT group to understand their attack methods and impact.

Tactics, Techniques, and Procedures (TTPs) used by the APT group

This section presents malicious behaviors of the Iranian government-sponsored APT group by categorizing them using the MITRE ATT&CK framework version 10.1.

1. Initial Access

1.1     MITRE ATT&CK T1190  Exploit Public-Facing Application

These Iranian government-sponsored APT actors exploit the following vulnerabilities to gain access to target environments:


Affected Products


CVSS 3.1 Base Score


SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below

Improper Authentication, Operational Risk

9.8 Critical


Fortigate FortiOS 6.2.0 and below

Information Disclosure

6.5 Medium


FortiOS 6.0 - 6.0.0 to 6.0.4

FortiOS 5.6 - 5.6.3 to 5.6.7

FortiOS 5.4 - 5.4.6 to 5.4.12

Path Traversal, Information Disclosure

9.8 Critical


Microsoft Exchange Server 

Remote Code Execution

9.8 Critical

2. Execution

2.1     MITRE ATT&CK T1047 Windows Management Instrumentation

Windows Management Instrumentation (WMI) is the infrastructure for management data and operations on Windows-based operating systems. Adversaries abuse WMI to execute a wide range of functions.

The threat actor has used SharpWMI, a C# implementation of various WMI functionality, including local/remote WMI queries, remote WMI process creation through win32_process, and remote execution of arbitrary VBS through WMI event subscriptions.

2.2MITRE ATT&CK T1053.005 Scheduled Task/Job: Scheduled Task

The threat group has used task XML files named GoogleChangeManagement.xml and MicrosoftOutlookUpdater.xml to create scheduled tasks for executing malicious payloads. They have used the following task URIs: SynchronizeTimeZone, GoogleChangeManagement, MicrosoftOutLookUpdater, and MicrosoftOutLookUpdateSchedule.

3. Credential Access

3.1.    MITRE ATT&CK T1003 OS Credential Dumping

The APT group has used the Mimikatz tool to obtain username and password information useful in gaining access to additional systems in the target network.

4. Privilege Escalation

The APT actor has used WinPEAS, a script that searches for possible paths to escalate privileges on Windows hosts.

5. Collection

5.1.    MITRE ATT&CK T1560.001 Archive Collected Data: Archive via Utility

Utilizing third-party utilities, adversaries compress or encrypt data collected prior to exfiltration. This APT group has used WinRAR to archive collected data. 


6.1.    MITRE ATT&CK T1048 Exfiltration Over Alternative Protocol

This threat actor has used File Transfer Protocol (FTP) over port 443 to exfiltrate collected data.

7. Impact

7.1.    MITRE ATT&CK T1486 Data Encrypted for Impact

Threat actors may encrypt data on target systems or on a large number of systems connected to a network to disrupt the system and network resource availability. They can make stored data unusable by encrypting files or data on local and remote drives, which is typical behavior of ransomware. The government-sponsored APT actor has forced BitLocker activation to encrypt data. 

How Picus Helps Simulate and Prevent the BlackMatter Ransomware

We strongly suggest simulating APT groups to test the effectiveness of your security controls against their attacks using the Picus Security Control Validation Platform.  

Picus Threat Library includes the following threats for the vulnerabilities used by the APT group. It contains 2000+ vulnerability exploitation and endpoint attacks in addition to 11.000+ other threats as of November 18, 2021.

Picus ID

Threat Name



Fortinet FortiGate SSL VPN Arbitrary File Read Variant-1



ProxyShell URL Normalization Bypass via AutoDiscover Endpoint Variant-1



ProxyShell URL Normalization Bypass via AutoDiscover Endpoint Variant-2



ProxyShell URL Normalization Bypass via AutoDiscover Endpoint Variant-3


Picus Threat Library also includes attacks for post-compromise malicious behavior of attackers. Moreover, Picus Mitigation Library provides ready-to-use vendor-specific or vendor-agnostic detection rules for each TTP for building a proactive defense against adversaries.

For example, the following table includes a threat simulating credential dumping using the Mimikatz tool and a detection rule in the Picus Mitigation Library that detects this threat.

Picus Threat Library - Threat

Picus Mitigation Library - Detection Rule

393510 Credential Dumping using Mimikatz Tool

4920 Password and Hash Dump via Mimikatz


Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address exploits used by the APT group.

Security Control

Signature ID

Signature Name

FortiGate IPS


web_app3: MS.Exchange.Server.Common.Access.Token.Privilege.Elevation

FortiGate IPS


web_app3: MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution

Snort IPS


SERVER-WEBAPP Microsoft Exchange server security feature bypass attempt

Snort IPS


SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Snort IPS


SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Palo Alto Networks NGFW


Microsoft Exchange Server SSRF Vulnerability

Palo Alto Networks NGFW


Microsoft Exchange EwsAutodiscoverProxyRequestHandler Server Side Request Forgery Vulnerability

F5 Advanced Web Application Firewall


Microsoft Exchange ProxyShell SSRF

F5 Advanced Web Application Firewall


Microsoft Exchange ProxyShell Privilege Escalation

McAfee’s Network Security Platform (IPS)


HTTP: Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-34473)

Forcepoint NGFW



Cisco Firepower NGFW


SERVER-WEBAPP Microsoft Exchange server security feature bypass attempt

Cisco Firepower NGFW


SERVER-WEBAPP Microsoft Exchange autodiscover server side request forgery attempt

Trend Micro TippingPoint IPS


HTTP: Microsoft Exchange Server Autodiscover SSRF Vulnerability (PWN2OWN ZDI-21-821)


IOCs (Indicators of Compromise)

SHA256 Hashes








Created Task URIs





Created Account Names