Mon. Dec 6th, 2021


The agency responsible for Critical infrastructure in the United States is at the crossroads of Iranian government hackers, exploiting known vulnerabilities in Microsoft and Fortinet’s enterprise products, government officials in the United States, the United Kingdom and Australia warned on Wednesday.

A Joint Adviser It was revealed on Wednesday that an advanced-persistent-threat hacking group affiliated with the Iranian government was exploiting the vulnerabilities of Microsoft Exchange and Fortinet. FortiOS, Which forms the basis for the company’s subsequent security offers. Everyone identified Weakness Patched, but not everyone who uses the product has installed the update. The FBI, the US Cybersecurity and Infrastructure Security Agency, the National Cyber ​​Security Center in the United Kingdom and the Australian Cyber ​​Security Center published the advice.

A wide range of goals

“Iranian government-sponsored APT actors are actively targeting a wide range of victims across multiple key US infrastructure sectors, the transport sector and the healthcare and public health sectors, as well as Australian companies.” “The FBI, CISA, ACSC, and NCSC evaluate actors [that] Focuses on exploitation of known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can take advantage of this access for follow-on activities, such as data exfoliation or encryption, ransomware and extortion. “

The advisory said the FBI and CISA have been monitoring Fortinet vulnerabilities and Microsoft Exchange vulnerabilities since at least March to gain initial access to the system, at least since October. The Hacker Then start a follow-on activity that includes installing ransomware.

In May, the attackers targeted an unnamed U.S. municipality, where they probably created an account with the username “Eli” to further gain access to the compromised network. A month later, they hacked a US-based hospital that specializes in healthcare for children. The next attack probably involved Iran-connected servers at 91.214.124[.]143, 162.55.137[.]20, and 154.16.192[.]70.

Last month, APT actors exploited vulnerabilities in Microsoft Exchange that gave them initial access to the system prior to their follow-on operation. Australian authorities say they have also observed the group taking advantage of the exchange error.

Beware of anonymous user accounts

The hackers may have created new user accounts in the active directories of domain controllers, servers, workstations and networks that they compromised. Some accounts seem to mimic existing accounts, so usernames often differ from the target organization to the target organization. The advisory states that network security personnel should search for anonymous accounts with special focus on usernames such as Support, Help, elie, and WADGUtilityAccount.

The suggestion comes a day after Microsoft Report That an Iranian-affiliated group called Phosphorus is increasingly using ransomware to generate revenue or obstruct adversaries. The group has deployed “aggressive brutal force attacks” on targets, Microsoft added.

Earlier this year, Microsoft Phosphorus has scanned millions of IP addresses in search of FortiOS systems that have not yet installed security fixes for CVE-2018-13379. The error allows hackers to collect clear-text certificates used to remotely access the server. Phosphorus has collected certificates from more than 900 Fortinet servers in the United States, Europe and Israel.

Most recently, Phosphorus moved to scanning for risky on-premises exchange servers for CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, which is a constellation of errors called Prophex. . . Microsoft Weaknesses have been corrected March.

“When they identified the weak servers, Phosphorus wanted to gain perseverance in the target systems,” Microsoft said. “In some cases, actors have downloaded a Plunk Runner MicrosoftOutLookUpdater.exe. This file will periodically beacon to their C2 server via SSH, allowing actors to issue more commands. Later, actors will download a custom implant via a Base64-encoded PowerShell command. This implant modifies the startup registry keys and eventually acts as a loader to download additional tools, establishing perseverance in the victim system. “

Identify high-value targets

The Microsoft blog post further states that, after gaining continuous access, hackers try hundreds of victims to identify the most lucrative targets for follow-on attacks. The hackers then created a local administrator account with the username “Help” and the password “_AS_ @ 1394”. In some cases, actors discard LSASS in order to obtain certificates for later use

Microsoft also said it monitored the group using Microsoft’s Beatlecar full-disk encryption feature, which is designed to protect data and prevent unauthorized software from running.



Source link

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *