IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

US, UK agencies warn Iran-backed hackers are targeting critical sectors

The state-sponsored APT groups exploited Fortinet and Microsoft Exchange flaws to gain access to systems

US, UK, and Australian cyber authorities have warned that Iran-backed hackers are behind an ongoing ransomware campaign targeting critical infrastructure.

Iranian state-sponsored APT groups exploited four Fortinet and Microsoft Exchange flaws – CVE-2021-34473, 2020-12812, 2019-5591, and 2018-13379 – in order to carry out ransomware attacks, according to the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the UK’s National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre (ACSC).

In a joint statement, the agencies said that the FBI and CISA had “observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and a Microsoft Exchange ProxyShell vulnerability since at least October 2021”.

Meanwhile, the ACSC found that the same APT group had exploited the same Microsoft Exchange vulnerability in Australia.

The flaws were used to gain access to the systems of critical infrastructure organisations, including those in the US transportation and healthcare sectors, in order to then exfiltrate or encrypt data for extortion.

However, the FBI, CISA, ACSC, and NCSC stated that the Iranian-backed threat actors are “focused on exploiting known vulnerabilities rather than targeting specific sectors”.

Related Resource

Multi-factor authentication deployment guide

A complete guide to selecting and deploying your MFA authentication guide

The whitepaper title on a strip of swirling blue and purple diagonal across the pageFree download

The cyber authorities have urged critical infrastructure organisations to patch and update their systems, implement network segmentation and multi-factor authentication, use strong passwords and antivirus software, and stay alert of phishing threats.

The guidance follows a separate report from the Microsoft Threat Intelligence Center (MSTIC) which found that Iranian state-backed hackers stole credentials by sending “interview requests” to target individuals through emails that contained tracking links to confirm whether the user had opened the file. If a victim responded, they then sent a link to a fake Google Meeting, which led to a credential harvesting page.

Microsoft managed to identify six cyber espionage groups in Iran that were found to be behind a spate of ransomware attacks occurring roughly every six weeks since September 2020.

The tech giant’s researchers said that Iranian state-backed hackers collected credentials from over 900 Fortinet VPN servers in the US, Europe, and Israel, then shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022
How do you become an ethical hacker?
ethical hacking

How do you become an ethical hacker?

29 Apr 2022
What is phishing?
phishing

What is phishing?

29 Apr 2022

Most Popular

Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Costa Rica declares state of emergency following Conti ransomware attack
ransomware

Costa Rica declares state of emergency following Conti ransomware attack

10 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022