Law enforcement and cybersecurity agencies from the U.S., U.K. and Australia are warning the public that an advanced persistent threat (APT) group tied to Iran has been exploiting multiple, high-impact vulnerabilities this year in order to deploy ransomware and conduct other post-exploitation activities against critical infrastructure.
The alert, issued jointly by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the U.K. National Cyber Security Centre and Australian Cyber Security Centre, said the activity appears to be targeting known vulnerabilities as opposed to specific industries, but noted that the U.S. transportation, healthcare and public health sectors, as well as Australian organizations were all “actively targeted.”
“FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware,” the alert warns. “ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.
Between March and June 2021 the campaign leveraged numerous vulnerabilities in Fortinet products — including a critical vulnerability that allows an unauthenticated attacker to download system files through specially crafted HTTP resource requests, a VPN authentication vulnerability that can bypass two-factor authentication protections and a configuration vulnerability in FortiOS that can allow an unauthenticated attacker to steal sensitive data from victims. In October, those same actors began exploiting widely publicized vulnerabilities in Microsoft Exchange that security researchers in the private sector had previously said was leading to “mass in the wild exploitation” by multiple groups.
In some instances, the actors were also observed deploying BitLocker encryption software to lock up files and sending or leaving “threatening notes” demanding ransom payment from the victims. The alert does not specify what the Iranian government’s underlying motivations may be for the attacks or whether any entities actually paid the ransom.
The actors relied on a host of commercial or open-source tools like Mimikatz to steal credentials, WinPEAS to escalate privileges, WinRAR to archive collected data and FileZilla to transfer files. The actor also has been observed creating new user accounts on domain controllers that appear similar to other existing accounts, possibly an attempt to fool administrators and maintain persistence on victim networks.
All the vulnerabilities outlined in the alert are known. Patches are already available and many were the subject of previous alerts by government agencies, but the actor appears to be scanning for organizations that have yet to update their systems. In addition to verifying that affected products are patched and updated, the agencies released indicators of compromise and recommended detection protocols for organizations to identify affected systems.
On attribution, the document only says that the agencies have collectively assessed that the tactics, techniques and procedures, as well as the indicators of compromise, are “likely associated with the Iranian government-sponsored APT activity.”
In a House Homeland Security hearing on ransomware held the same day, CISA Executive Director Brandon Wales referenced the joint alert and noted that there are a number of obstacles that make it difficult for organizations across different industries to move quickly and close off dangerous IT weaknesses, even when protections are readily available.
“Unfortunately, strengthening resilience to withstand ransomware attacks is ultimately the most difficult element of our collective efforts, as it ultimately relies on changing human behavior,” Wales told lawmakers. “And while certain steps, such as spotting phishing attempts, implementing multi-factor authentication or patching vulnerabilities are easily implemented at the individual level, they are much more difficult to implement community, business or organization-wide.”
The sheer number of newly discovered vulnerabilities this year can create backlogs for many organizations and make it easy to fall behind in their patching cadence. It’s not just industry that falls behind in these efforts — this month CISA ordered federal agencies to begin prioritizing a list of nearly 300 known and exploited vulnerabilities, including many that have had secure patches available for a year or more.
Wales also used the opportunity to urge Congress to pass legislation requiring critical infrastructure entities to report ransomware attacks and other digital compromises to CISA so they can “enrich” the data, identify other potential victims and get the word out.
“While this advisory is based on an analysis of multiple incidents that CISA and the FBI supported, unfortunately today we receive information on only a fraction of incidents,” Wales said. “This hampers our ability to conduct critical analysis, spot adversary campaigns, release mitigation guidance and provide timely response, leaving critical infrastructure vulnerable and that is unacceptable.”