US officials warn companies and organizations to protect themselves against Iran-based hackers who are targeting critical infrastructure with ransomware.
The US, Australian, and British governments have warned organizations regarding Iranian hackers who are targeting critical infrastructure with ransomware. The warning was issued on Wednesday by the joint advisory including the FBI, Cybersecurity and Infrastructure Security Agency (CISA), UK’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre (ACSC).
— National Cyber Security (@NcsVentures) November 17, 2021
The joint advisory, further detailed that Iranian attackers have been exploiting Microsoft Exchange ProxyShell vulnerability and the Fortinet vulnerabilities since March to gain access to critical US infrastructure organizations. These vulnerabilities can be exploited to run mass-scale phishing attacks and ransomware attacks. The ultimate aim is to deploy ransomware, extortion, and exfiltration.
In May 2021, hackers exploited Fortigate gear to access the server hosting a domain for America’s municipal government. The next month, CISA observed hackers using Fortinet vulnerabilities to access servers of US hospitals and other healthcare institutions.
On October 30, 2021, an Iranian hacker group called ‘The Black Shadow’ attacked several Israeli organizations and websites leaking data online. The group also claimed to have accessed Cyberverse servers – an Israeli internet company, resulting in a complete shutdown.
Microsoft’s Report on Iran-based Hackers
Microsoft also released a separate report explaining the evolution of Iranian cybersecurity threats, saying they are “increasingly utilizing ransomware to either collect funds or disrupt their targets.” In the report, Microsoft said that they have been tracking six Iran-based threat actors deploying ransomware attacks since September 2021.
Microsoft singled out one group called ‘Phosphorus’ also called APT35. The company has been tracking this Iran-based hacker group for the past two years. Phosphorus has been behind spear-phishing campaigns also targeting presidential candidates during the 2020 US elections. The group targeted almost 100 high-profile politicians, ambassadors, and more during the US elections.
Microsoft also said that the group has been using social engineering tactics to build some rapport before targeting victims using BitLocker to encrypt their files. Microsoft also identified another Iranian state-sponsored group called Helium, or APT 33.
CISA and FBI’s Recommendations for Organizations
CISA and the FBI have warned organizations and urged them to take actions to mitigate the threat posed by Iranian hackers. A few months back, NSA and CISA also published security guidelines for securing servers against ransomware attacks.
Organizations are urged to back up all their data and create copies to be maintained offline. This way, in case a company server gets compromised, you will still have access to your data. It is also advised to audit employee accounts, especially the ones who have administrator access. All accounts should be protected with strong passwords and multi-factor authentication.