Iranian threat actors who are likely sponsored by the country’s government have been exploiting known vulnerabilities in Fortinet security appliances and the ProxyShell flaw in Microsoft Exchange servers to gain access to organizations in several industries in the United States, UK, and Australia for the last several months, including hospitals and government agencies, according to a new alert from the U.S. government.
The activity has been ongoing since at least March, and the attackers have used a handful of separate vulnerabilities to compromise target networks, most prominently the ProxyShell bug in Exchange that has been public since July. In a new alert published Wednesday, the FBI, the Cybersecurity and Infrastructure Security Agency, and agencies from the UK and Australia attributed the attacks to “Iranian government-sponsored APT actors”, but did not specifically name a group. However, in a talk at Cyberwarcon Tuesday, Microsoft Threat Intelligence Center researchers described in detail operations by the Phosphorus APT group based in Iran that closely matched techniques and tactics used in the intrusions mentioned in the new alert.
Phosphorus is a prolific attack group and it is known to have run a number of successful campaigns recently, including one targeting medical researchers in December. The group conducted a targeted phishing campaign against senior researchers in a variety of organizations, and in other campaigns the group has gone after critical infrastructure entities. In 2019, Microsoft took down a big chunk of the Phosphorus infrastructure and security researchers and law enforcement agencies follow the group closely.
The group described in the new CISA alert has been seen exploiting three individual vulnerabilities in Fortinet appliances, including a three-year-old path traversal flaw in FortiOS. The attackers also have been exploiting one of the vulnerabilities in Exchange (CVE-2021-34473) that makes up the ProxyShell chain.
“FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia,” the advisory says.
The Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories.
“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations.”
In a couple of the intrusions that the CISA alert calls out, the attackers specifically targeted Fortinet Fortigate appliances that had known vulnerabilities, exploited them, and then took further actions in order to maintain persistent access.
“In May 2021, these Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. The actors likely created an account with the username elie to further enable malicious activity,” the alert says.
“In June 2021, these APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children. The APT actors accessed known user accounts at the hospital. The Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization”
In most cases, the Iranian attackers are exploiting known, older vulnerabilities and using well-known techniques in order to stay present on target networks and move laterally. CISA recommends that organizations implement multi-factor authentication wherever possible to prevent attackers from gaining access to target accounts.