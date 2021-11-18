



Organizations responsible for critical infrastructure in the United States are in the crosshairs of Iranian government hackers, who exploit known vulnerabilities in Microsoft and Fortinet corporate products, US government officials warned on Wednesday. United Kingdom and Australia.

A joint advisory released on Wednesday said that an advanced persistent threat hacking group aligned with the Iranian government was exploiting vulnerabilities in Microsoft Exchange and Fortinets FortiOS, which form the basis of the latter company’s security offerings. All identified vulnerabilities have been fixed, but not everyone who uses the products has installed the updates. The advisory was published by the FBI, the US Cybersecurity and Infrastructure Security Agency, the UK National Cyber ​​Security Center and the Australian Cyber ​​Security Center.

A wide range of targets

Iranian government-sponsored APT actors are actively targeting a wide range of victims in several critical infrastructure sectors in the United States, including the transportation sector and the health and public health sector, as well as Australian organizations, according to the notice. The FBI, CISA, ACSC, and NCSC assess that actors are focusing on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can take advantage of this access for follow-up operations, such as data exfiltration or encryption, ransomware and extortion.

The advisory says the FBI and CISA observed that the group had been exploiting Fortinet vulnerabilities since at least March and Microsoft Exchange vulnerabilities since at least October to gain initial access to the systems. Hackers then initiate tracking operations that include the deployment of ransomware.

In May, the attackers targeted an anonymous US municipality, where they likely created an account with the username elie to dig further into the compromised network. A month later, they hacked into an American hospital specializing in children’s health care. This latest attack likely involved servers linked to Iran at 91.214.124[.]143, 162.55.137[.]20 and 154.16.192[.]70.

Last month, APT actors exploited vulnerabilities in Microsoft Exchange that gave them initial access to systems before follow-up operations. Australian authorities said they also observed the group exploiting the Exchange flaw.

Beware of unrecognized user accounts

Hackers may have created new user accounts on domain controllers, servers, workstations, and active directories on the networks they compromised. Some of the accounts appear to mimic existing accounts, so usernames are often different from target organization to target organization. The notice states that network security personnel should check for unrecognized accounts, paying particular attention to usernames such as Support, Help, elie, and WADGUtilityAccount.

The notice comes a day after Microsoft reported that an Iran-aligned group it calls Phosphorous is increasingly using ransomware to generate revenue or disrupt opponents. The group uses aggressive brute force attacks on targets, Microsoft added.

Earlier this year, Microsoft said, Phosphorus scanned millions of Internet IP addresses for FortiOS systems that had not yet installed security patches for CVE-2018-13379. The flaw allowed hackers to collect clear text credentials used to access servers remotely. Phosphorus ended up collecting credentials from over 900 Fortinet servers in the United States, Europe, and Israel.

More recently, Phosphorus moved to scan on-premises Exchange servers vulnerable to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a constellation of vulnerabilities known as ProxyShell. Microsoft corrected the vulnerabilities in March.

When they identified vulnerable servers, Phosphorus sought to gain persistence on target systems, Microsoft said. In some cases, actors downloaded a Plink runner named MicrosoftOutLookUpdater.exe. This file would periodically tag their C2 servers via SSH, allowing actors to issue other commands. Later, actors uploaded a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victimized system by modifying the startup registry keys and ultimately functioned as a loader to download additional tools.

