Enlarge / Illustration set of flags from binary code targets.
Organizations responsible for critical infrastructures in the USA are in the crosshairs of the Iranian government hackers who exploit known security flaws in Microsoft and Fortinet company products, government officials from the USA, Great Britain and Australia warned on Wednesday.
A joint report published on Wednesday said that an advanced persistent threat hacking group allied with the Iranian government is exploiting vulnerabilities in Microsoft Exchange and Fortinet’s FortiOS, which form the basis of the latter company’s security offerings. All identified vulnerabilities have been patched, but not everyone who uses the products has installed the updates. The advisory was published by the FBI, the US Cybersecurity and Infrastructure Security Agency, the UK National Cyber Security Center and the Australian Cyber Security Center.
A wide range of goals
“The Iranian government-sponsored APT actors are actively targeting a wide range of victims in several critical infrastructure sectors in the US, including transportation and health and public health and Australian organizations,” the opinion said. “FBI, CISA, ACSC and NCSC judge that actors are focusing on exploiting known vulnerabilities rather than targeting specific sectors. These APT actors sponsored by the Iranian government can use this access for follow-up operations such as data exfiltration or encryption, ransomware and blackmail. “
The report states that the FBI and CISA have watched the group have been exploiting Fortinet vulnerabilities since at least March and Microsoft Exchange vulnerabilities since at least October to gain initial access to systems. The hackers then initiate follow-up operations, which include delivering ransomware.
In May, the attackers targeted an unnamed US community, where they likely created an account with the username “elie” in order to further break into the compromised network. A month later, they hacked a US hospital that specialized in child health care. The latter attack likely affected Iran-connected servers at 91,214,124[.]143, 162.55.137[.]20 and 154.16.192[.]70.
In the past month, the APT actors exploited security gaps in Microsoft Exchange, which gave them initial access to systems in the run-up to follow-up operations. Australian authorities said they had also watched the group take advantage of the Exchange bug.
Watch out for unknown user accounts
The hackers may have created new user accounts on the domain controllers, servers, workstations, and active directories of networks that they compromised. Some of the accounts appear to mimic existing accounts, so the usernames often differ from target organization to target organization. The recommendation states that network security personnel should look for unfamiliar accounts, with special attention to usernames such as support, help, elie, and WADGUtilityAccount.
The tip comes a day after Microsoft reported that an Iranian-focused group called Phosphorous is increasingly using ransomware to generate revenue or disrupt adversaries. The group used “aggressive brute force attacks” on targets, added Microsoft.
Earlier this year, according to Microsoft, Phosphorus scanned millions of Internet IP addresses looking for FortiOS systems that still needed to install the security fixes for CVE-2018-13379. The bug allowed the hackers to obtain clear text credentials that were used to access the servers remotely. Phosphorus eventually gathered credentials from more than 900 Fortinet servers in the US, Europe, and Israel.
More recently, Phosphorus has switched to scanning for local Exchange servers, which are prone to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a constellation of errors known under the ProxyShell are known. Microsoft fixed the vulnerabilities in March.
“When they identified vulnerable servers, Phosphorus tried to persist on the target systems,” said Microsoft. “In some cases, the actors downloaded a plink runner called MicrosoftOutLookUpdater.exe. This file would be transmitted to their C2 servers at regular intervals via SSH so that the actors can issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim’s system by modifying the launch registry keys and ultimately acting as a loader for downloading additional tools. “