The US, UK, and Australian agencies issued a joint cybersecurity alert over Iranian APT actors exploiting Fortinet and Microsoft Exchange ProxyShell vulnerabilities to compromise critical infrastructure entities.
Post exploitation, the Iranian government-sponsored APT actors exfiltrated data and deployed ransomware to extort the victims.
The agencies observed Iranian APT groups scanning for Microsoft Exchange ProxyShell vulnerability since October 2021 while they had actively exploited Fortinet vulnerabilities since March 2021.
Iranian APT groups target known vulnerabilities instead of specific industries
The joint advisory noted that Iranian APT groups actively targeted critical infrastructure in healthcare, transportation, and the public sector, and Australian organizations.
However, they are focused on high-impact known Exchange Server and Fortinet FortiOS vulnerabilities instead of specific industries.
According to the advisory, the Iranian APT groups leveraged Microsoft Exchange Server Remote Code Execution (RCE) Vulnerability CVE-2021-34473 (CVSS 9.8) to gain access. They also leveraged Fortinet FortiOS improper authentication vulnerability in SSL VPN CVE-2020-12812 (CVSS 9.8), FortiOS default configuration vulnerability CVE-2019-5591 (CVSS 6.5), and FortiOS Path Traversal vulnerability CVE-2018-13379 (CVSS 9.8).
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) observed Iranian APT groups scanning devices on ports 4443, 8443, and 10443 for FortiOS vulnerabilities.
However, the joint advisory did not attribute the critical infrastructure attacks to specific threat actors.
Previously, Iran’s Fox Kitten was observed targeting critical infrastructure and had exploited the FortiOS vulnerability.
Mr. Crain Mueller, Vice President of Federal Sales at iBoss says that Russian state-sponsored hackers were not the single threat to U.S. critical infrastructure.
“Iran has proven to be an adversary capable of sowing chaos through sophisticated attacks and new reports that it may be targeting our transportation and healthcare sector should be chilling. As we saw last spring with the JBS Pipeline attack, our nation’s infrastructure has serious vulnerabilities, and a successful attack on these sectors could be devastating.”
Iranian hackers use legitimate tools to compromise critical infrastructure entities
The Iranian APT groups leveraged legitimate and malicious tools like Mimikatz for stealing credentials, WinPeas for privilege escalation, Windows Management Instrumentation (SharpWMI), WinRAR for compressing stolen data, and FileZilla for uploading stolen files over FTP.
Additionally, the Iranian APT groups scheduled tasks using the Windows Task Scheduler and enabled the BitLocker encryption before sending or leaving a threatening ransom note.
Similarly, the Iranian APT groups created accounts mimicking existing ones to trick domain administrators and maintain persistence.
The FBI and CISA associated rogue accounts and active directories named Support, Help, WADGUtilityAccount, and elie with the Iranian hacking activity. However, the accounts also varied depending on the compromised network.
The joint advisory highlighted an incident in May 2021, when Iranian APT groups breached a municipal government and created an account with the username elie.
Cybersecurity agencies issued security guidelines to defend against Iranian hackers
The FBI, CISA, NCSC, and ACSC directed system administrators to check for indicators of compromise and patch their systems to degrade the ability of Iranian APT groups to exploit known vulnerabilities.
Additionally, they should update their Block and Allow lists, enforce backup and restoration policies, segment their networks, implement multi-factor authentication, and enforce strong passwords. System administrators should monitor RDP access logs, disable unused RDP ports and restrict remote users to certain resources. They should also disable hyperlinks in external emails and add warning banners to reduce the risk of phishing. Additionally, they should audit account privileges and implement role-based access controls, according to the joint cybersecurity advisory.
CISA Executive Director Brandon Wales noted that human behavior remains the Achilles Heel in cybersecurity.
“And while certain steps, such as spotting phishing attempts, implementing multi-factor authentication or patching vulnerabilities are easily implemented at the individual level, they are much more difficult to implement community, business or organization-wide.”
Wales also noted that CISA’s abilities to patch known vulnerabilities were limited by the number of incidents reported.
“This hampers our ability to conduct critical analysis, spot adversary campaigns, release mitigation guidance, and provide [a] timely response, leaving critical infrastructure vulnerable and that is unacceptable.”
He urged Congress to pass mandatory ransomware incident reporting requirements for critical infrastructure entities