CISA warns Iranian APT against US infrastructure
Iranian threat actors who are likely sponsored by the country’s government exploited known vulnerabilities in Fortinet security appliances and the ProxyShell flaw in Microsoft Exchange servers to gain access to organizations across multiple industries in the US, UK and in Australia in recent months. , including hospitals and government agencies, according to a new U.S. government alert.
Activity has been ongoing since at least March, and attackers have used a handful of separate vulnerabilities to compromise target networks, especially the ProxyShell bug in Exchange which has been public since July. In a new alert released on Wednesday, the FBI, Cybersecurity and Infrastructure Security Agency, and UK and Australian agencies attributed the attacks to “Iranian government-sponsored APT actors,” but did not specifically name a group. . However, during a conference at Cyberwarcon on Tuesday, researchers at the Microsoft Threat Intelligence Center described in detail the operations of the Iran-based Phosphorus APT group that closely matched the techniques and tactics used in the intrusions mentioned in the new alert.
Phosphorus is a prolific attack group and is known to have run a number of successful campaigns recently, including one targeting medical researchers in December. The group has carried out a targeted phishing campaign against senior researchers in various organizations, and in other campaigns, the group has attacked critical infrastructure entities. In 2019, Microsoft removed much of the Phosphorus infrastructure, and security researchers and law enforcement are following the group closely.
The group described in the new CISA alert has been seen exploiting three individual vulnerabilities in Fortinet appliances, including a three-year-old path-crossing flaw in FortiOS. The attackers also exploited one of the vulnerabilities in Exchange (CVE-2021-34473) that makes up the ProxyShell chain.
“The FBI and CISA observed that this Iranian government-sponsored APT group has been exploiting Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems prior to tracking operations,” which include the deployment of ransomware. . The ACSC is also aware that this APT group used the same Microsoft Exchange vulnerability in Australia, ”the advisory said.
Iranian government sponsored APT actors may have established new user accounts on domain controllers, servers, workstations and active directories.
“Iranian government-sponsored APT actors are actively targeting a wide range of victims in several critical infrastructure sectors in the United States, including the transportation sector and the health and public health sector, as well as Australian organizations. “
In a few of the intrusions reported by the CISA Alert, attackers specifically targeted Fortinet Fortigate appliances that had known vulnerabilities, exploited them, and then took other measures to maintain persistent access.
“In May 2021, these Iranian government sponsored APT actors operated a Fortigate appliance to access a web server hosting the domain of a US municipal government. The actors have probably created an account with the username elie to further activate malicious activity, ”the alert said.
“In June 2021, these APT players operated a Fortigate device to access environmental monitoring networks associated with a US hospital specializing in children’s health. The APT actors accessed known user accounts at the hospital. Iranian government sponsored APT actors may have established new user accounts on domain controllers, servers, workstations and active directories. Some of these accounts appear to have been created to look like other existing accounts on the network, so the specific account names may vary from organization to organization.
In most cases, Iranian attackers exploit known and older vulnerabilities and use well-known techniques in order to stay present on target networks and move sideways. CISA recommends that organizations implement MFA whenever possible to prevent attackers from gaining access to target accounts.