Microsoft and US, UK law enforcement warns about Iranian hacker groups

Hacker groups reportedly exploiting Microsoft, Fortinet flaws and increase the use of ransomware on targets

Iranian hacker groups reportedly exploiting major vulnerabilities to deliver ransomware.

Nation-state threat actors target engage in social engineering campaigns, brute-force attacks and aim to sabotage targets and generate revenue.^[1] Multiple reports claimed that persistent attacks and exploitation of Fortinet and Microsoft Exchange ProxyShell vulnerabilities allowed attackers to gain access to systems and run malicious processes, exploit ransomware. Australian cybersecurity agencies in the joint advisory^[2] with the UK, US released a warning of the active exploitation of the said vulnerabilities that state-sponsored actors abuse.

FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.

According to the Microsoft Threat Intelligence Center report, at least six threat actors linked to the West Asian country were discovered using cryptocurrency extortion malware.^[3] Ransomware deployment was launched in waves every six weeks on average. The particular group is named Phosphorus aka Charming Kitten, APT35.^[4]

Attackers scanned IP addresses on the internet for the unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers, so the initial access can be gained. Then the persistence gets ensured on the vulnerable network, and attackers move to a second stage- ransomware deployment.

Exploited since at least March 2021

FBI and CISA noticed the exploitation and gathered information about the activities that lasted since March 2021 for the Fortinet flaws and since at least October 2021 for the Microsoft Exchange ProxyShell vulnerability.^[5] Attackers gained access to systems to run the operations on further exploited devices.

These Iranian hackers focus their attacks on the United States and critical infrastructure sectors like healthcare, transportation. Also, attacks were observed to be aimed at Australian organizations. The exploited bus has severity rates of 6.5, 9.1, and two with 9.8.

The list of exploited vulnerabilities includes these critical flaws:

• CVE-2021-34473 – Microsoft Exchange Server remote code execution flaw.
• CVE-2020-12812 – FortiOS SSL VPN two-factor authentication bypass flaw that allows access to the system without authorization by changing the username case.
• CVE-2018-13379 – FortiOS system file leak via SSL VPN that is achievable due to the specially crafted HTTP resource request.

Attackers leveraging a network of fake social media accounts

The coding and tactics of these attacks also included the fictitious social media accounts that help hackers to build trust with possible targets. Posting as attractive women online allows threat actors to address targets over several months to create a relationship that eventually helps with malware delivery. Data exfiltration from the system is possible when files like documents laced with malware get sent to the targeted victim.

It is noticed that Phosphorus and the threat actor named Curium used such tactics for social engineering to compromise targeted networks. Constant and continuous communication helped to build confidence in the person behind a fake social media account. Attackers managed to trick people into believing that general human connection is formed and disguise the Iranian threat actor operations with this interaction.

Another method used by the hacker groups is password spraying. The US and EU defense technology companies got targeted with the attacks aiming at Office 365 tenants. These malicious people also managed to adapt and shift tactics when the particular goals and strategy changed. Different attacks like cyber espionage, phishing, mobile malware and ransomware, wipers, supply chain attacks helped hackers become a more competent and advanced gang.