A joint cybersecurity advisory has been released because of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran.
FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.
The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, and ACSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.
“According to a joint advisory statement from the ACSC, NCSC, the FBI and CISA, Iranian government-sponsored actors are exploiting Microsoft Exchange ProxyShell vulnerability to gain access to Australian organizations, to consequently exfiltrate data, conduct ransomware attacks or more. While organizations are urged to protect themselves by installing security updates, patching alone is not a security strategy. By the time a vulnerability is discovered, and a patch is applied, the attacker is often gone – with an organization’s crown jewels. Instead, we need to invest in protection technologies that will _stop_ the attacks _before_ they happen. Our world, our livelihood is at stake.” said Robert Nobilo, ANZ Regional Director at Virsec.
This advisory provides observed tactics and techniques, as well as indicators of compromise (IOCs) that FBI, CISA, ACSC, NCSC assess are likely associated with this Iranian government-sponsored APT activity. The FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.
