US, UK, Australia Issue Alert on Iranian APT GroupsGovernment-Backed Threat Actors Exploiting Fortinet, Microsoft Exchange Flaws
Law enforcement and intelligence agencies in the U.S, U.K. and Australia have issued a joint advisory on unidentified Iran government-backed advanced persistent threat actors exploiting Fortinet and Microsoft Exchange ProxyShell vulnerabilities to attack organizations in their respective countries.
The advisory from the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the Australian Cyber Security Center, and the United Kingdom's National Cyber Security Center details tactics, techniques and indicators of compromise associated with the threat groups.
The APT actors, the advisory says, do not target specific sectors. Their victims range across U.S. critical infrastructure sectors, including transportation and healthcare, as well as Australian organizations, it says. They exploit known vulnerabilities and can also use the access for "follow-on operations, such as data exfiltration or encryption, ransomware and extortion," the alert says.
Attributing the attacks to a specific APT group is inherently challenging, says Xueyin Peh, senior cyber threat intelligence analyst at security firm Digital Shadows.
"Although the joint advisory did not pinpoint a particular Iran-backed threat group, the Iran-linked Fox Kitten APT group had already exploited the FortiOS vulnerability in the past. Iran-linked APT groups tend to target critical infrastructures such as companies operating in the IT, oil and gas, telecommunications, and defense sectors," he tells Information Security Media Group.
Based on previous attacks, cyber extortion using ransomware is seldom the goal with Iran-linked APT groups, Peh says. "Instead, they use these methods for destructive purposes such as causing embarrassment by either naming victims on data leak websites or wiping data, rather than for financial gains," he says.
The U.S, U.K. and Australia have jointly put out similar advisories in the past, according to Peh. "In July, they accused China of cyberattacks after Microsoft disclosed the exploitation of ProxyLogon vulnerabilities and attributed them to the China-linked Hafnium threat group. Joint statements from these three countries are not unexpected. They are already part of the Five Eyes intelligence alliance," Peh tells ISMG.
Five Eyes is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States.
"Further cooperation [among the three countries] is also likely enabled under the terms of their AUKUS strategic pact. The pact, which was forged in September 2021, includes sharing cyber capability and advanced technology, as well as collaboration on nuclear-powered submarines. Similar joint statements and attribution efforts in the future are very likely."
AUKUS is a a trilateral security pact between Australia, the United Kingdom and the United States, announced in September, in which the U.S. and U.K. agree to help Australia build nuclear-powered submarines.
Fortinet Vulnerabilities Exploited
The Iranian government-sponsored APT actors scanned devices on ports 4443, 8443 and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379 and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591, the alert says. The agencies believe that the APT groups likely exploited these flaws to gain access to vulnerable networks (see: FBI and CISA: APT Groups Targeting Government Agencies).
The alert also details a May 2021 incident in which the APT actors exploited a Fortigate appliance to access a web server hosting the domain for a U.S. municipal government. The group, it says, "likely created an account with the username elie to further enable malicious activity on the network."
In a June 2021 incident, the threat actors exploited a Fortigate appliance to access environmental control networks associated with a U.S-based child healthcare-focused hospital, the alert notes.
"The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20 - which FBI and CISA judge are associated with Iranian government cyber activity - to further enable malicious activity against the hospital’s network. The APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity," the joint advisory states.
The FBI advises users of vulnerable Fortinet products to immediately patch the flaws to prevent attacks (see: FBI: Attackers Continue to Exploit Unpatched Fortinet Flaws).
Microsoft Exchange Flaw Exploited
In October 2021, the APT actors introduced Microsoft into the mix. They leveraged Microsoft Exchange ProxyShell vulnerability CVE-2021-34473 to obtain initial access to systems and leverage them for follow-on operations.
These recent exploits capitalize on issues that have been known for months, says Scott Riley, director of Cloud Nexus, a Microsoft Gold Partner and Azure specialist cloud migration firm.
"The Exchange Powershell vulnerabilities CVE2021-34473 were identified in April and May of 2021, with patches available from July. The first version of Fortinet FortiOS that is not vulnerable to CVE2018-13379 has been available since May 2019," he tells ISMG.
"It isn't acceptable to operate IT systems that have not been patched for over six months, and it is irresponsible to run security appliances on code that is more than 2 years old and still believe that it’s protecting your business."
Tactics and Techniques
The APT groups tracked by the law enforcement agencies use tools such as Mimikatz for credential theft, WinPEAS for privilege escalation, SharpWMI to provide Windows Management Instrumentation functionality, WinRAR for archiving collected data, and FileZilla for transferring files, the advisory says.
After gaining initial access via the Microsoft Exchange server and Fortinet device flaws, the Iran-sponsored APT actors may have made modifications to the Microsoft program Task Scheduler, the advisory says. "These modifications may display as unrecognized scheduled tasks or actions. Specifically, the established tasks may be associated with this activity, which includes SynchronizeTimeZone, GoogleChangeManagement, MicrosoftOutLookUpdater, MicrosoftOutLookUpdateSchedule and Persistence," the advisory notes.
The advisory says that the APT groups may have established new user accounts on domain controllers, servers, workstations and active directories.
"Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization," the advisory says. Along with unrecognized user accounts or those that masquerade as preexisting accounts, the advisory says the usernames "support, help, elie, WADGUtilityAccount, exfiltration" have been associated with the activity.
The APT actors also have forced BitLocker activation on host networks to encrypt data, the advisory notes. "The corresponding threatening notes were either sent to the victim or left on the victim network as a .txt file," it says.
Ransom notes sent to victim organizations ask them to contact the threat actors on email IDs including sar_addr@protonmail[.]com, WeAreHere@secmail[.]pro, nosterrmann@mail[.]com and nosterrmann@protonmail[.]com, the advisory says.
A Tuesday note by the Microsoft Threat Intelligence Center details how the tools, techniques and procedures employed by malicious network operators based in Iran have evolved. Some notable trends identified among the nation-state operators include an increase in the use of ransomware to collect funds or disrupt targets; increased patience and persistence while engaging with targets and while conducting social engineering campaigns; and continued deployment of aggressive brute force attacks.
The law enforcement agencies recommend that organizations using Microsoft Exchange servers and Fortinet investigate potential suspicious activity in their networks to search for IOCs in network and host artifacts.
This includes investigating exposed Microsoft Exchange servers - both patched and unpatched - for compromise, and identifying changes in remote desktop protocol, firewall and Windows Remote Management configurations that may allow attackers to maintain persistent access, they say.
The agencies also advise organizations to review domain controllers, servers, workstations and active directories for new or unrecognized user accounts and Windows Task Scheduler for unrecognized scheduled tasks.
"Additionally, manually review operating system-defined or recognized scheduled tasks for unrecognized "actions" (for example, review the steps each scheduled task is expected to perform), review antivirus logs for indications they were unexpectedly turned off and look for WinRAR and FileZilla in unexpected locations," the agencies note.
The key to thwarting these attacks is to break the chain, says Christian Espinosa, managing director at cybersecurity firm Cerberus Sentinel. "The sooner you break the chain, the better. In this case, vulnerabilities in MS Exchange ProxyShell and Fortinet should need patching immediately," he tells ISMG.
"The bottom line is that 99% of attacks leverage a vulnerability or misconfiguration first, then use this initial foothold to amplify the attack. Patching and fixing misconfigurations is the primary difference between proactive cybersecurity and reactive, often incident response, cybersecurity," Espinosa says.
The agencies recommend the following risk mitigation steps:
- Immediately patch software affected by the vulnerabilities identified in this advisory: CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.
- Regularly backup data and password protect those backup copies.
- Implement network segmentation and have an effective recovery plan to restore sensitive or proprietary data from a physically separate, segmented, secure location - such as a hard drive, a storage device or in the cloud.
- Disable unused remote access or remote desktop protocol ports, and monitor these tools.
- Audit user accounts with administrative privileges, and configure access controls with least privilege in mind.