organizations responsible for Government officials from the United States, the United Kingdom and Australia warned on Wednesday that critical infrastructure in the United States is in the crosshairs of Iranian government hackers, who are exploiting known vulnerabilities in enterprise products from Microsoft and Fortinet.
a joint consultant Posted Wednesday said a sophisticated hacking group with a persistent threat allied with the Iranian government is exploiting vulnerabilities in Microsoft Exchange and Fortinet Fortius, which form the basis of the company’s latest security offerings. All set Weak points They have been patched, but not everyone who uses the products has installed updates. The advisory was issued by the FBI, the US Cyber and Infrastructure Security Agency, the UK’s National Cyber Security Centre, and the Australian Center for Cyber Security.
Wide range of goals
“Iranian government-sponsored APT actors actively target a wide range of victims across many critical infrastructure sectors in the United States, including the transportation sector, the healthcare sector, and public health, as well as Australian organizations,” the advisory stated. The FBI, CISA, ACSC and NCSC are evaluating the actors [that] Focuses on exploiting known vulnerabilities rather than targeting specific sectors. Iranian government-sponsored APT actors can take advantage of this access for follow-up operations, such as data mining or encryption, ransomware, and extortion.”
The advisor said the FBI and CISA have observed the group exploiting the Fortinet vulnerabilities since at least March and the Microsoft Exchange vulnerabilities since at least October for initial access to the systems. The pirates Then start the follow-up processes that include spreading the ransomware.
In May, attackers targeted an unnamed US municipality, likely creating an account with the username “elie” to hack the hacked network. A month later, they hacked a hospital in the United States specializing in children’s healthcare. The latest attack likely involved servers linked to Iran at 91.214.124[.]143, 162.55.137[.]20 and 154.16.192[.]70.
Last month, APT representatives exploited vulnerabilities in Microsoft Exchange that gave them initial access to systems before follow-up operations. Australian authorities said they had also noticed the group was taking advantage of a loophole in the exchange.
Watch out for unknown user accounts
Hackers may have created new user accounts on domain controllers, servers, workstations, and active directories of the networks they’ve compromised. Some accounts seem to mimic existing accounts, so usernames often differ from target organization to target organization. The advisory said network security personnel should look for unknown accounts with special attention to usernames such as Support, Help, elie and WADGUtilityAccount.
Consultation comes a day after Microsoft mentioned An Iran-aligned group called Phosphorous is increasingly using ransomware to generate revenue or disrupt adversaries. Microsoft added that the group uses “aggressive brute force attacks” on targets.
early this year, Microsoft He said, Phosphorus scanned millions of IP addresses for FortiOS systems that had not yet installed the security fixes for CVE-2018-13379. The flaw allowed hackers to collect clear-text credentials used to remotely access servers. Phosphorus ended up collecting credentials from over 900 Fortinet servers in the US, Europe and Israel.
Recently, Phosphorous turned to scanning for local Exchange servers exposed to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a group of flaws that go under the name ProxyShell. Microsoft fix vulnerabilities in March.
“When they identified the servers at risk, Phosphorous sought to gain persistence on the target systems,” Microsoft said. In some cases, actors have downloaded Plink Runner called MicrosoftOutLookUpdater.exe. This file will periodically send signals to their C2 servers via SSH, allowing actors to issue other commands. Later, the actors download a custom implant via a Base64-encoded PowerShell command. This implant proved stable on the victim system by modifying the startup registry keys and eventually acted as a loader for downloading additional tools.”
Setting high value goals
The Microsoft blog post also mentioned that after gaining continuous access, the hackers screened hundreds of victims to identify the most interesting targets for follow-up attacks. Then, the hackers created local administrator accounts with the username “help” and the password “_AS_ @1394.” In some cases, representatives cast LSASS to obtain credentials for later use.
Microsoft also said it noticed the group using Microsoft’s BitLocker full disk encryption feature, which is designed to protect data and prevent unauthorized programs from running.