The US government, along with its Australian and UK counterparts, have warned that state-backed Iranian hackers are targeting US organizations in critical infrastructure areas – in some cases with ransomware.
The rare warning linking Iran to ransomware was published Wednesday in a joint notice issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Cyber Security Center (ACSC) and the UK National Security Office. Cyber Security Center (NCSC).
The advisory says Iranian-backed attackers have been exploiting vulnerabilities in Fortinet since at least March and a vulnerability in Microsoft Exchange ProxyShell since October to gain access to U.S. critical infrastructure organizations in the transportation and public health sectors, as well as organizations in Australia. The goal of hackers is ultimately to exploit this access for follow-up operations such as data exfiltration, extortion, and ransomware deployment.
In May of this year, for example, hackers abused the Fortigate appliance to gain access to a web server hosting the domain of a US municipal government. The following month, the CISA and the FBI observed that hackers were exploiting vulnerabilities in Fortinet to gain access to the networks of a US hospital specializing in children’s health.
The joint opinion was released along with a separate Microsoft report on the evolution of Iranian APTs, which “are increasingly using ransomware to raise funds or disrupt their targets.” In the report, Microsoft said it was tracking six Iranian threat groups that deployed ransomware and exfiltrated data in attacks that began in September 2020.
Microsoft chooses a particularly “aggressive” group it calls Phosphorus, also known as APT35, which the company has been following for two years. While it previously used spear-phishing emails to lure victims, including presidential candidates in the 2020 U.S. election, Microsoft says the group is now using social engineering tactics to build relationships. with their victims before using BitLocker, a full disk encryption feature built into Windows. , to encrypt their files.
The CISA and the FBI are urging organizations to take a series of measures to mitigate the threats posed by Iranian attackers, including updating operating systems, implementing network segmentation, and using multi-factor authentication and strong passwords.