CISA reports that an advanced persistent threat (APT) group since March of 2021 has been exploiting Fortinet vulnerabilities and, since October 2021, a Microsoft Exchange ProxyShell vulnerability “to gain initial access to systems in advance of follow-on operations, which include deploying ransomware.” Both the Fortinet and Exchange vulnerabilities may have existed before March and October 2021, respectively.
The following is from the Joint Cybersecurity Advisory released this morning at approx. 11 AM EST:
“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.
This joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC). ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.
FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.”
Executive Summary: Joint Cybersecurity Advisory AA21-321A
- Joint Cybersecurity Advisory AA21-321A provides details on:
- Threat Actor Activity
- Observed Tactics and Techniques
- Indicators of Compromise
- Specific recommendations for detection and mitigation: “FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.”
CISA also recommends reviewing its Iran Cyber Threat Overview and other Iran-related Advisories.
Threat Actor Activity
- In March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports for Fortinet FortiOS vulnerability and enumerating devices for FortiOS vulnerabilities.
- The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks. Note: for previous FBI and CISA reporting on this activity, refer to Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks.
- In May 2021, these Iranian government-sponsored APT actors exploited a Fortigate appliance to access a web server hosting the domain for a U.S. municipal government. The actors likely created an account with the username elie to further enable malicious activity. Note: for previous FBI reporting on this activity, refer to FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Initial Access for Malicious Activity.
- In June 2021, these APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children. The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses that FBI and CISA judge are associated with Iranian government cyber activity—to further enable malicious activity against the hospital’s network.
- The APT actors accessed known user accounts at the hospital from an IP address which FBI and CISA judge is associated with the government of Iran offensive cyber activity.
- As of October 2021, these APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability to gain initial access to systems in advance of follow-on operations.
Detection and Mitigation Resources
Resources itemized in the advisory include:
- For information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, whole-of-government webpage providing ransomware resources and alerts.
- The joint advisory from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States: Technical Approaches to Uncovering and Remediating Malicious Activity provides additional guidance when hunting or investigating a network and common mistakes to avoid in incident handling.
- CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.
- The U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for reports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website for more information and how to report information securely.
- ACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at cyber.gov.au and via 1300 292 371 (1300 CYBER1).
Related Reading:
Additional OODA Loop coverage provides some of the backstory of these Iranian APT group activities leading to the release of the advisory today:
OODA Loop – Now Iran’s state-backed hackers are turning to ransomware
OODA Loop – Iranian hackers targeting telecoms, ISPs
Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking
The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking
