On November 17, U.S., Australian and British cybersecurity agencies said that an Iran-backed hacking group was targeting the transportation and healthcare sectors in the United States as well as Australian organizations. The hackers were trying to access firms’ computer networks by exploiting vulnerabilities in software developed by Microsoft and Fortinet (a cybersecurity firm). The hackers “can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” according to an advisory co-authored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and Britain’s National Cyber Security Centre (NCSC).
In a separate blog post, Microsoft said that six distinct groups linked to Iran were deploying ransomware, which often encrypts data until a victim sends payment to the hackers. The company warned that Iranian capabilities had improved since September 2020. “As Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations,” Microsoft said on November 16. The following are excerpts from joint advisory and Microsoft’s report.
Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities
This joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.
The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.
This advisory provides observed tactics and techniques, as well as indicators of compromise (IOCs) that FBI, CISA, ACSC, and NCSC assess are likely associated with this Iranian government-sponsored APT activity.
The FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.
Threat Actor Activity
Since at least March 2021, the FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities. Observed activity includes the following.
- In March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591. The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks. Note: for previous FBI and CISA reporting on this activity, refer to Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks.
- In May 2021, these Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. The actors likely created an account with the username elie to further enable malicious activity. Note: for previous FBI reporting on this activity, refer to FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Initial Access for Malicious Activity.
- In June 2021, these APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children. The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20—which FBI and CISA judge are associated with Iranian government cyber activity—to further enable malicious activity against the hospital’s network. The APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity.
- As of October 2021, these APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability—CVE-2021-34473—to gain initial access to systems in advance of follow-on operations.
Click here for the full text.
Microsoft Threat Intelligence Center
Evolving trends in Iranian threat actor activity
Over the past year, the Microsoft Threat Intelligence Center (MSTIC) has observed a gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran. At CyberWarCon 2021, MSTIC analysts presented their analysis of these trends in Iranian nation state actor activity during a session titled “The Iranian evolution: Observed changes in Iranian malicious network operations”. This blog is intended to summarize the content of that research and the topics covered in their presentation and demonstrate MSTIC’s ongoing efforts to track these actors and protect customers from the related threats.
Three notable trends in Iranian nation-state operators have emerged:
- They are increasingly utilizing ransomware to either collect funds or disrupt their targets.
- They are more patient and persistent while engaging with their targets.
- While Iranian operators are more patient and persistent with their social engineering campaigns, they continue to employ aggressive brute force attacks on their targets.
Since September 2020, MSTIC has observed six Iranian threat groups deploying ransomware to achieve their strategic objectives. These ransomware deployments were launched in waves every six to eight weeks on average.
Patience and persistence
MSTIC has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them. These operations likely required significant investment in the operator’s time and resources to refine and execute. This trend indicates PHOSPHORUS is either moving away from or expanding on their past tactics of sending unsolicited links and attachments in spear-phishing email campaigns to attempt credential theft.
PHOSHORUS – Patient and persistent
PHOSPHORUS sends “interview requests” to target individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, PHOSPHORUS attackers send a link to a benign list of interview questions hosted on a cloud service provider. The attackers continue with several back-and-forth conversations discussing the questions with the target user before finally sending a meeting invite with a link masquerading as a Google Meeting.
Once the meeting invite is sent, the attackers continuously reach out to the target user, asking them to test the Google Meeting link. The attackers contact the targeted user multiple times per day, continuously pestering them to click the link. The attackers even go so far as to offer to call the target user to walk them through clicking the link. The attackers are more than willing to troubleshoot any issues the user has signing into the fake Google Meeting link, which leads to a credential harvesting page.
MSTIC has observed PHOSPHORUS operators become very aggressive in their emails after the initial lure is sent, to the point where they are almost demanding a response from the targeted user.
CURIUM – In it for the long run
CURIUM is another Iranian threat actor group that has shown a great deal of patience when targeting users. Instead of phishing emails, CURIUM actors leverage a network of fictitious social media accounts to build trust with targets and deliver malware.
These attackers have followed the following playbook:
The process above can take multiple months from the initial connection to the delivery of the malicious document. The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.
By exercising patience, building relationships, and pestering targets continuously once a relationship has been formed, Iranian threat actors have had more success in compromising their targets.
In 2021, MSTIC observed DEV-0343 aggressively targeting Office 365 tenants via an ongoing campaign of password spray attacks. DEV-0343 is a threat actor MSTIC assesses to be likely operating in support of Iranian interests. MSTIC has blogged about DEV-0343 activity previously.
Analysis of Office 365 logs suggests that DEV-0343 is using a red team tool like o365spray to conduct these attacks.
Targeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.
Closing thoughts: Increasingly capable threat actors
As Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:
Specifically, Iranian operators have proven themselves to be both willing and able to:
- Masquerade as an attractive woman on social media
- Establish a connection via social media with a target user via LinkedIn, Facebook, etc.
- Chat with the target daily
- Send benign videos of the woman to the target to prime them to lower their guard
- Send malicious files to the target similar the benign files previously sent
- Request that the target user open the malicious document
- Exfiltrate data from the victim machine
- Information operations
- Disruption and destruction
- Support to physical operations
- Deploy ransomware
- Deploy disk wipers
- Deploy mobile malware
- Conduct phishing attacks
- Conduct password spray attacks
- Conduct mass exploitation attacks
- Conduct supply chain attacks
- Cloak C2 communications behind legitimate cloud services