[ad_1]
Responsible organizations Critical U.S. infrastructure is at the crossroads of Iranian government hackers who are exploiting known vulnerabilities in Microsoft and Fortinet’s business products, U.S., UK and Australian government officials warned on Wednesday.
A joint advice According to a report released on Wednesday, an advanced hacking group of the ongoing threat to the Iranian government is exploiting the weaknesses of the Microsoft Exchange and Fortinet. FortiOS, the basis of the security offer of this last company. All identified weaknesses there has been a patch, but not everyone who uses the products has installed updates. It has been released by the FBI, the US Cybersecurity and Infrastructure Security Agency, the UK National Cybersecurity Center and the Australian Cybersecurity Center.
Wide range of goals
“APT actors backed by the Iranian government are actively targeting a wide range of victims in many critical infrastructure sectors in the US, including the Transportation Sector and the Health and Public Health Sector, as well as Australian organizations,” the advice said. “They evaluate actors from the FBI, CISA, ACSC and NCSC [that] They focus on exploiting known weaknesses, rather than targeting specific sectors. These APT actors, backed by the Iranian government, can take advantage of this access for monitoring operations such as data filtering or encryption, ransomware and extortion. “
The board said the FBI and CISA have been exploiting Fortinet’s vulnerabilities since at least March and Microsoft Exchange’s vulnerabilities since at least October to gain initial access to the systems. The hackers then initiate monitoring operations that include the deployment of the ransomware.
In May, the attackers hit an unnamed U.S. town where they probably created an account with the username “elie” to delve into the endangered network. A month later, a US hospital specializing in child health care was hacked. The latest attack was likely involving 91,214,124 Iran-related servers[.]143, 162.55.137[.]20, and 154.16.192[.]70.
Last month, APT actors exploited Microsoft Exchange vulnerabilities before the system gave them initial access to follow-up operations. Australian authorities said they also saw the group take advantage of the Exchange error.
Be careful with unfamiliar user accounts
Hackers jeopardized the creation of new user accounts on domain controllers, servers, workstations, and active network directories. Some accounts seem to mimic existing accounts, so usernames vary from one target organization to another. The tip said network security staff should look for unrecognized accounts with a special focus on usernames, such as Help, Help, elie, and WADGUtilityAccount.
The advice comes after Microsoft reported An Iranian-aligned group that calls for phosphorus is increasingly using ransomware to generate revenue or disrupt enemies. The group uses “brute force attack targets” in its targets, Microsoft added.
Earlier this year, Microsoft he said, Phosphorus scanned millions of IP addresses looking for FortiOS systems that still needed to install CVE-2018-13379 security fixes. The bug allowed hackers to collect clear text credentials that are used to remotely access servers. Phosphorus ended up collecting credentials from more than 900 Fortinet servers in the US, Europe and Israel.
Recently, Phosphorus switched to local Exchange Server servers CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a constellation of bugs called ProxyShel. . Microsoft has fixed weaknesses in March.
“When they identified vulnerable servers, Phosphorus wanted to achieve sustainability in their target systems,” Microsoft said. “Sometimes the actors unloaded a Plink runner MicrosoftOutLookUpdater.exe. This file would be routed via SSH to their C2 servers on a regular basis, allowing the actors to give more commands. Later, the actors would download a custom implant using a Base64-encoded PowerShell command. This implant established sustainability in the victim system by changing the boot registry keys and eventually functioned as a downloader for downloading additional tools.
Identify high value goals
A Microsoft blog post also said that after gaining permanent access, hackers tested hundreds of victims to identify the most interesting targets for subsequent attacks. The hackers then created local administrator accounts with the “help” username and password “_AS_ @ 1394”. In some cases, the plaintiffs threw LSASS to obtain credentials for later use.
Microsoft also said the team saw Microsoft’s use of BitLocker’s full-disk encryption feature, which is designed to protect data and run unauthorized software.
[ad_2]
Source link
