Australian, American and British cyber agencies have warned of a campaign of “ongoing malicious cyber activity” by an Iranian advanced persistent threat (APT) group exploiting well-known vulnerabilities in Fortinet and Microsoft products to conduct ransomware attacks.
The government-sponsored group seems to attack somewhat indiscriminately and appears to be highly focused on exploiting a core set of known bugs, rather than targeting specific sectors, although it has been seen targeting victims in critical such as transport and healthcare.
The group’s activities seem to date back to March 2021, when the US’s FBI and the Cybersecurity and Infrastructure Security Agency (CISA) observed the group scanning for devices vulnerable to CVE-2018-13379, and enumerating devices for two other vulnerabilities, CVE-2020-12812 and CVE-2019-5591, all three of which are in the Fortinet FortiOS operating system.
Note that all three of the Fortinet bugs were the subject of a similar warning at the time, and the exploitation of CVE-2018-37779, a path traversal vulnerability, has also been linked to the Cring ransomware.
Two months later, the group was seen exploiting a vulnerable Fortigate appliance to target a local government authority in the US, and in June performed a similar attack to access environmental control networks belonging to a US-based children’s hospital.
According to the advisory, as of October, the group has turned its attention to a Microsoft Exchange ProxyShell vulnerability, CVE-2021-34473, which was the subject of a botched disclosure process in August.
After gaining access to its victims’ networks, its follow-on activities lead up include data exfiltration, encryption, and extortion using BitLocker, a legitimate full volume encryption feature that can be turned to malicious purposes such as ransomware.
Defenders should be alert to the use of various malicious and legitimate tools by the group, including the likes of Mimikatz for credential theft, WinPEAS for privilege escalation, WinRAR for archiving data, and FileZilla for file transfer.
The group has also been seen making modifications to the Task Scheduler that may display as unrecognised scheduled tasks or actions, and establishing new user accounts on domain controllers, servers, workstations and active directories, many of which may appear to the casual viewer to look similar to the victim’s legitimate accounts.
The full advisory, including specific indicators of compromise (IoCs) and mitigation advice, can be read here.
According to Microsoft threat researchers, there are several Iranian APT groups currently deploying ransomware, conducting a series of attacks in waves launched every six to eight weeks.
In research published alongside CyberWarCon, Microsoft detailed the activity of a group it tracks as Phosphorus, which is known to have been scanning widely for devices vulnerable to CVE-2018-13379 at about the same time as the FBI/CISA observed activity. It is also keen on using BitLocker for encryption and extortion activities.
The Phosphorus APT group is also distinctive for its social engineering tactics, conducting back and forth conversations with its intended targets that appear at first to be a benign approach from a recruiter, inviting the victims to test a tainted Google Meeting link, but becoming increasingly pestering and aggressive should the link not be clicked.