Iranian government-sponsored APT hackers exploiting Microsoft Exchange, Fortinet vulnerabilities

Iranian government

Transnational security agencies have released a joint cybersecurity advisory warning of the ongoing malicious cyber activity by an advanced persistent threat (APT) group that has been associated with the Iranian government. The notice about the group, which is actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, also provides observed tactics and techniques, and indicators of compromise (IOCs) that have likely been associated with the Iranian government-sponsored APT activity.

The parties to the advisory include the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC).

The Iranian government-sponsored APT attackers gained initial access by exploiting vulnerabilities affecting Microsoft Exchange servers and Fortinet devices, according to the advisory. The attackers also may have made modifications to the Task Scheduler, and these modifications may display as unrecognized scheduled tasks or actions, it added. The U.S. security agencies also observed outbound File Transfer Protocol (FTP) transfers over port 443.

“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations,” according to the advisory. “FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” it added.

The FBI and CISA have observed that the Iranian government-sponsored APT group has been exploiting Fortinet vulnerabilities since at least March this year, and a Microsoft Exchange ProxyShell vulnerability since last month, to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware that this APT group has used the same Microsoft Exchange vulnerability in Australia.

In May, these Iranian government-sponsored APT hackers exploited a Fortigate appliance to access a web server hosting the domain for a U.S. municipal government. The attackers likely created an account with the username ‘elie’ to further enable malicious activity. In June, these APT hackers exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children.

The Iranian government-sponsored APT attackers likely leveraged a server assigned to IP addresses, which FBI and CISA judge are associated with Iranian government cyber activity, to further enable malicious activity against the hospital’s network, according to the advisory. The APT hackers also accessed known user accounts at the hospital, which FBI and CISA judge is associated with the government of Iran’s offensive cyber activity.

The advisory pointed out that the APT attackers have used malicious and legitimate tools, such as Mimikatz for credential theft, WinPEAS for privilege escalation, SharpWMI, WinRAR for archiving collected data, and FileZilla for transferring files for a variety of tactics across the enterprise spectrum. The Iranian government-sponsored APT hackers may have established new user accounts on domain controllers, servers, workstations, and active directories. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization, it added.

Network defenders have been advised to patch and update systems, evaluate and update blocklists and allowlists, implement and enforce backup and restoration policies and procedures, implement network segmentation, secure user accounts, implement multi-factor authentication and adopt strong passwords, secure and closely monitor RDP and other potentially risky services, make use of antivirus programs, provide secure remote access, and reduce risk of phishing, to reduce the risk of compromise by the hackers.

CISA offers a range of no-cost cyber hygiene services to help critical infrastructure organizations assess, identify, and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors. In addition, the U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to US$10 million for reports of foreign government malicious activity against U.S. critical infrastructure.

The joint cybersecurity advisory is similar to the one issued in May by the U.S. and U.K. security agencies on the SolarWinds supply chain attack, which blamed Russian Foreign Intelligence Service (SVR) hackers. The advisory also identified further TTPs (tactics, techniques, and procedures) associated with these cyber hackers.

The U.S. administration has also raised concerns about the presence of Chinese vendors in national critical infrastructure. Earlier this month, U.S. President Joe Biden signed into law a bipartisan, bicameral legislative bill that requires the Federal Communications Commission (FCC) to adopt rules clarifying that it prevents any authorization application for equipment that poses an unacceptable risk to national security.

A public interest researcher, Michael Mabee, who conducts investigations on the security of the critical electric sector has also drawn attention to the presence of Chinese transformer threats, which has now been confirmed by the administrations of two U.S. Presidents – Donald Trump and the current president.