Iranian Hackers Follow US Critical Infrastructure

Organizations responsible for Critical U.S. infrastructure is in the crosshairs of Iranian government hackers, who are taking advantage of known vulnerabilities in business products from Microsoft and Fortinet, government officials from the U.S., UK, have warned. and Australia on Wednesday.

A joint advisory published on Wednesday says an advanced-persistent-threat hacking group affiliated with the Iranian government is taking advantage of Microsoft Exchange and Fortinet’s vulnerabilities FortiOS, which became the basis of the company’s later security offerings. All recognized weaknesses It has been patched, but not everyone who uses the products has installed the updates. The advisory was issued by the FBI, US Cybersecurity and Infrastructure Security Agency, National Cyber ​​Security Center in the UK, and the Australian Cyber ​​Security Center.

A Wide Range of Targets

“The Iranian government -sponsored APT actors are actively targeting a wide range of victims in many critical sectors of U.S. infrastructure, including the Transportation Sector and the Health and Public Health Sector, as well. organizations in Australia, ”the advisory says. “The FBI, CISA, ACSC, and NCSC are investigating the actors [that] focuses on exploiting known vulnerabilities rather than targeting specific sectors. These APT actors promoted by the Iranian government may use this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.

The advisory says the FBI and CISA have observed the group exploiting Fortinet vulnerabilities since at least March and Microsoft Exchange vulnerabilities since at least October to gain initial access to the systems. the hackers then initiate follow-on operations that involve deploying the ransomware.

In May, the attackers targeted an unnamed U.S. municipality, where they likely created an account with the username “elie” to further bury the compromised network. A month later, they hacked a U.S.-based hospital specializing in children’s health care. The later attack likely involved Iran-linked servers at 91.214.124[.]143, 162.55.137[.]20, and 154.16.192[.]70.

Last month, APT actors took advantage of vulnerabilities in Microsoft Exchange that gave them initial access to the systems before follow-on operations. Australian authorities said they had also observed the group taking advantage of the Exchange’s error.

Watch out for Unknown User Accounts

Hackers can create new user accounts on domain controllers, servers, workstations, and active directories on the networks they compromise. Some of the accounts appear to mimic existing accounts, so usernames often differ from the target organization to the target organization. The advisory says network security personnel should look for anonymous accounts with special attention to usernames such as Support, Help, elie, and WADGUtilityAccount.

The advisory comes a day after Microsoft reported that an Iranian-aligned group it calls Phosphorous is primarily using ransomware to generate revenue or disrupt adversaries. The group used “aggressive brute force attacks” on targets, Microsoft added.

Earlier this year, Microsoft said, Phosphorus scanned millions of IP addresses to find FortiOS systems that had not yet installed security fixes for CVE-2018-13379. The error allows hackers to harvest clear text credentials used to remotely access servers. Phosphorus ended up collecting credentials from more than 900 Fortinet servers in the US, Europe, and Israel.

Recently, Phosphorus moved to scan for existing Exchange Servers that are vulnerable to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a constellation of errors under the name ProxyShell. . Microsoft fixed the weaknesses in March.

“Once they identify the vulnerable servers, Phosphorus seeks to get a hold of the target systems,” Microsoft said. “On several occasions, actors download a Plink runner named MicrosoftOutLookUpdater.exe. This file will beacon from time to time to their C2 servers via SSH, allowing actors to issue additional commands. Later, actors will download a custom implant via a Base64-encoded PowerShell command. This implant establishes the continuity of the victim’s system by changing the registry keys at startup and finally acts as a loader to download additional tools.

Identifying the High-Value Target

The Microsoft blog post also says that, after gaining continuous access, hackers are testing hundreds of victims to identify the most interesting targets for a series of attacks. The hackers then created local administrator accounts with the username “help” and the password “_AS_@1394.” In some cases, actors throw in the LSASS to get credentials to use later.

Microsoft also said it observed the group using Microsoft’s BitLocker full-disk encryption feature, which is designed to protect data and prevent unauthorized software from running.

Source link


Leave a Reply

Your email address will not be published. Required fields are marked *