Organizations responsible for US, UK and Australian government officials warn of critical infrastructure in the US who are exploiting known vulnerabilities in Microsoft and Fortinet enterprise products, US government officials, Britain and Australia warned on Wednesday.
ONE general advisor announced Wednesday that an advanced threat persistent attack group affiliated with the Iranian government is exploiting vulnerabilities in Microsoft Exchange and Fortinet’s. FortiOS, which forms the basis for the company’s later security services. All of gap patched, but not all users of the product have installed the updates. Advice is provided by the FBI, the US Cybersecurity and Infrastructure Agency, the UK’s National Cyber Security Center and the Australian Cybersecurity Centre.
A variety of goals
“Iranian government-funded APT organizations are actively targeting multiple victims across multiple sectors of critical US infrastructure, including the transportation and healthcare sectors. health and public health, as well as Australian organisations,” the adviser stated. “FBI, CISA, ACSC and NCSC evaluate agents [that] focuses on exploiting known vulnerabilities rather than targeting specific domains. These Iranian government-sponsored APT actors can leverage this access for further operations, such as data snooping or encryption, ransomware, and extortion.”
The adviser said the FBI and CISA have observed the group exploiting the Fortinet vulnerability since at least March and the Microsoft Exchange vulnerability since at least October to gain initial access to the system. NS hacker then initiate further operations including deploying the ransomware.
In May, attackers targeted an unnamed US municipality, where they likely created an account with the username “elie” to further penetrate the compromised network. A month later, they broke into a US-based hospital that specializes in children’s health. The following attack likely involved Iran-linked servers at 91.214.124[.]143, 162.55.137[.]20 and 154.16.192[.]70.
Last month, APT actors exploited Microsoft Exchange vulnerabilities that allowed them to gain initial access to systems before performing further operations. Australian authorities said they also observed the group using the Exchange vulnerability.
Watch out for Unauthorized User Accounts
Hackers may have created new user accounts on domain controllers, servers, workstations, and active directories of the network they infiltrated. Some accounts seem to mimic existing accounts, so the username is often different from the targeted organization. The advice says that security personnel should look for unrecognized accounts and pay special attention to usernames such as Support, Help, elie, and WADGUtilityAccount.
The advice was given a day after Microsoft report that an Iran-linked group it calls Phosphorous is increasingly using ransomware to generate revenue or disrupt competitors. Microsoft added that the team used “active brute force attacks” on the targets.
This early year, Microsoft said Phosphorus scanned millions of IP addresses looking for FortiOS systems that still did not have security fixes for CVE-2018-13379 installed. The vulnerability allows hackers to collect clear text credentials that are used to remotely access the server. To that end, Phosphorus collected credentials from more than 900 Fortinet servers in the US, Europe, and Israel.
More recently, Phosphorus moved to scan on-premises Exchange Servers vulnerable to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a cluster of vulnerabilities known as CVE-2021-27065. ProxyShell . Microsoft fix the holes March.
“Once they identified the vulnerable servers, Phosphorus sought to gain persistence on the target systems,” Microsoft said. “In some cases, actors downloaded a Plink runner named MicrosoftOutLookUpdater.exe. This file will periodically signal to their C2 servers via SSH, allowing the agents to issue other commands. The actors would then download the custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying the startup registry keys and eventually acting as a loader to download additional tools. ”
Identify High Value Goals
The Microsoft blog post also said that, after gaining persistent access, the hackers tricked hundreds of victims into identifying the most interesting targets for further attacks. The hacker then created a local administrator account with the username “help” and the password “_AS_@1394”. In some cases, agents sold LSASS to obtain credentials to be used later.
Microsoft also said it observed the group using Microsoft’s BitLocker full-disk encryption feature, which is designed to protect data and prevent unauthorized software from running.
