Iranian government-sponsored advanced persistent threat (APT) group has been targeting the critical infrastructure of the United States of America by exploiting vulnerabilities in Microsoft Exchange and Fortinet, the US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) claimed.
This claim, which came as part of a “joint cybersecurity advisory” issued by the FBI, CISA, UK’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre (ACSC), said that the cyber attackers are targeting a broad range of sectors such as transportation, healthcare and public health in the US, as well as Australian organizations.
Russia, China and Iran have been in the cross-hairs of the US government for allegedly perpetrating state-sponsored cyberattacks targeting the country’s critical infrastructure. The Biden administration has been publicly calling out both these nation-states over these alleged attacks. This was reiterated by Biden when he met his Russian counterpart Vladimir Putin in June this year.
Attacks on critical infrastructure lead to a decline in trust between governments online, and lend themselves to retaliatory measures. In some instances, they lead to pushes for closing up of the Internet, and for firewalls and data localisation, thus having an impact on the openness of the Internet.
Observed Iranian activity since March 2021: Advisory
The FBI and CISA have observed alleged Iranian government-sponsored activities on Microsoft Exchange and Fortinet vulnerabilities since March 2021. Here is a brief timeline of what they observed:
- March 2021: “The FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591,” the advisory said. According to Cloudflare, a port is a virtual point where network connections start and end. It is managed by a computer’s operating system and each port is associated with a specific process. Cloudflare also said that ports allow computers to easily differentiate between different kinds of traffic
- May 2021: The advisory said that the Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a US municipal government. “The actors likely created an account with the username “elie” to further enable malicious activities,” it claimed.
- June 2021: APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children, the advisory said.
- October 2021: The advisory added that the actors have leveraged a Microsoft Exchange ProxyShell vulnerability “CVE-2021-34473” to gain access to systems in advance of follow-on operations.
How did the Iranian actors gain access?
The advisory said that the APT actors may have created new user accounts on domain controllers, servers, workstations, and active directories. “Some of these accounts appear to have been created to look similar to other existing accounts on the network,” it said.
These are the following account usernames that the FBI and CISA identified to have been associated with this activity:
The Iranian actors also may have abused the Windows Task Scheduler to perform task scheduling for recurring execution of malicious code, the advisory said. “These modifications may display as unrecognized scheduled tasks or actions,” it added.
These actors have also been exploiting known vulnerabilities for conducting “follow-on operations, such as data exfiltration or encryption, ransomware, and extortion”, the advisory said. The APT actors also allegedly forced victims to activate Bitlocker to encrypt data and sent ransom demands from emails such as —
What tools have the Iranian attackers used?
The APT actors have used the following tools for a variety of tactics across the enterprise spectrum, the advisory said.
- Mimikatz for credential theft
- WinPEAS for privilege escalation
- SharpWMI (Windows Management Instrumentation)
- WinRAR for archiving collected data
- FileZilla for transferring files
Organisations using Microsoft Exchange and Fortinet should investigate their networks: Advisory
The FBI, CISA, ACSC, and NCSC gave a slew of recommendations which include organisations using Microsoft Exchange servers and Fortinet investigate potential suspicious activity in their networks. Others are —
- Search for indicators of compromise (IOC)
- Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise
- Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access
- Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts
- Review Task Scheduler for unrecognized scheduled tasks
- Review antivirus logs for indications they were unexpectedly turned off
- Look for WinRAR and FileZilla in unexpected locations
- What India Should Do To Improve Cybersecurity In Healthcare
- 2021 Is Going To Be The Year Of Ransomware: National Cybersecurity Coordinator Lt Gen (Dr) Rajesh Pant
- Risks Posed By Stolen Health Data And Challenges In Securing Health Data
- Measures And Policies To Strengthen The Cybersecurity Of Health Data And Healthcare Infrastructure