Advisory issued by FBI, CISA, ACSC and NCSC.

A joint cybersecurity advisory is the result of an analytic effort among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) to highlight ongoing malicious cyber activity by an advanced persistent threat (APT) group that FBI, CISA, ACSC, and NCSC assess is associated with the government of Iran. FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.

The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, and ACSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.

This advisory provides observed tactics and techniques, as well as indicators of compromise (IOCs) that FBI, CISA, ACSC, NCSC assess are likely associated with this Iranian government-sponsored APT activity. The FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.

Threat Actor Activity

Since at least March 2021, the FBI and CISA have observed Iranian government-sponsored APT actors leverage Microsoft Exchange and Fortinet vulnerabilities to target a broad range of victims across multiple critical infrastructure sectors in furtherance of malicious activities. Observed activity includes the following.

• In March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591. The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks. Note: for previous FBI and CISA reporting on this activity, refer to joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks.
• In May 2021, these Iranian government-sponsored APT actors exploited a Fortigate appliance to access a webserver hosting the domain for a U.S. municipal government. The actors likely created an account with the username elie to further enable malicious activity. Note: for previous FBI reporting on this activity, refer to FBI FLASH: APT Actors Exploiting Fortinet Vulnerabilities to Gain Initial Access for Malicious Activity.
• In June 2021, these APT actors exploited a Fortigate appliance to access environmental control networks associated with a U.S.-based hospital specializing in healthcare for children. The Iranian government-sponsored APT actors likely leveraged a server assigned to IP addresses 91.214.124[.]143 and 162.55.137[.]20 – which FBI and CISA judge are associated with Iranian government cyber activity—to further enable malicious activity against the hospital’s network. The APT actors accessed known user accounts at the hospital from IP address 154.16.192[.]70, which FBI and CISA judge is associated with government of Iran offensive cyber activity.
• As of October 2021, these APT actors have leveraged a Microsoft Exchange ProxyShell vulnerability—CVE-2021-34473—to gain initial access to systems in advance of follow-on operations.

ACSC considers that this APT group has also used the same Microsoft Exchange vulnerability (CVE-2021-34473) in Australia.

MITRE ATT&CK® Tactics and Techniques

Note: this advisory uses the MITRE ATT&CK for Enterprise framework, version 10. See Appendix B for a table of the MITRE ATT&CK tactics and techniques observed.

FBI, CISA, ACSC, and NCSC assess the following tactics and techniques are associated with this activity.

Resource Development [TA0042]

The APT actors have used the following malicious and legitimate tools [T1588.001, T1588.002] for a variety of tactics across the enterprise spectrum.

• Mimikatz for credential theft [TA0006]
• WinPEAS for privilege escalation [TA0004]
• SharpWMI (Windows Management Instrumentation)
• WinRAR for archiving collected data [TA0009, T1560.001]
• FileZilla for transferring files [TA0010]

Initial Access [TA0001]

The Iranian government-sponsored APT actors gained initial access by exploiting vulnerabilities affecting Microsoft Exchange servers (CVE-2021-34473) and Fortinet devices (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591) [T1190].

Execution [TA0002]

The Iranian government-sponsored APT actors may have made modifications to the Task Scheduler [T1053.005]. These modifications may display as unrecognized scheduled tasks or actions. Specifically, the below established tasks may be associated with this activity:

• SynchronizeTimeZone
• GoogleChangeManagement
• MicrosoftOutLookUpdater
• MicrosoftOutLookUpdateSchedule

Persistence [TA0003]

The Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories [T1136.001, T1136.002]. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity:

• Support
• Help
• elie
• WADGUtilityAccount

Exfiltration [TA0010]

The FBI and CISA observed outbound File Transfer Protocol (FTP) transfers over port 443.

Impact [TA0040]

The APT actors forced BitLocker activation on host networks to encrypt data [T1486]. The corresponding threatening notes were either sent to the victim or left on the victim network as a .txt file. The ransom notes included ransom demands and the following contact information.

• sar_addr@protonmail[.]com
• WeAreHere@secmail[.]pro
• nosterrmann@mail[.]com
• nosterrmann@protonmail[.]com

Detection

The FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange servers and Fortinet investigate potential suspicious activity in their networks.

• Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. Note: refer to Appendix A in the downloadable PDF version of this advisory for a list of IOCs.
• Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise.
• Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access.
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
• Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system defined or recognized scheduled tasks for unrecognized “actions” (for example, review the steps each scheduled task is expected to perform).
• Review antivirus logs for indications they were unexpectedly turned off.
• Look for WinRAR and FileZilla in unexpected locations.

Note: for additional approaches on uncovering malicious cyber activity, see joint advisory Technical Approaches to Uncovering and Remediating Malicious Activity, authored by CISA and the cybersecurity authorities of Australia, Canada, New Zealand, and the United Kingdom.

Mitigations

The FBI, CISA, ACSC, and NCSC urge network defenders to apply the following mitigations to reduce the risk of compromise by this threat.

Patch and Update Systems

• Install updates/patch operating systems, software, and firmware as soon as updates/patches are released.
• Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021-34473, CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591.

Evaluate and Update Blocklists and Allowlists

• Regularly evaluate and update blocklists and allowlists.
• If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization’s execution blocklist. Any attempts to install or run this program and its associated files should be prevented.

Implement and Enforce Backup and Restoration Policies and Procedures

• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).

Implement Network Segmentation

• Implement network segmentation to restrict adversary’s lateral movement.

Secure User Accounts

• Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties.
• Require administrator credentials to install software.

Implement Multi-Factor Authentication

• Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), and accounts that access critical systems.

Use Strong Passwords

• Require all accounts with password logins to have strong, unique passwords.

Secure and Monitor RDP and other Potentially Risky Services

• If you use RDP, restrict it to limit access to resources over internal networks.
• Disable unused remote access/RDP ports.
• Monitor remote access/RDP logs.

Use Antivirus Programs

• Install and regularly update antivirus and anti-malware software on all hosts.

Secure Remote Access

• Only use secure networks and avoid using public Wi-Fi networks.
• Consider installing and using a VPN for remote access.

Reduce Risk of Phishing

• Consider adding an email banner to emails received from outside your organization.
• Disable hyperlinks in received emails.

Tags: ACSCCISAFBIIranNCSC