Law enforcement and cyber agencies from the U.S., U.K., Australia and Canada are warning critical infrastructure owners and operators and other organizations of exploitations involving known vulnerabilities of Fortinet FortiOS and Microsoft Exchange against a variety of targets by Iran-sponsored operatives that have occurred since late last year.
In addition, the Iranian-backed hackers have also exploited VMware Horizon Log4j vulnerabilities for follow-on activity, including disk encryption and data extortion.
The agencies involved in the alert include:
- Federal Bureau of Investigation (FBI)
- Cybersecurity and Infrastructure Security Agency (CISA)
- National Security Agency (NSA), U.S. Cyber Command (USCC) - Cyber National Mission Force (CNMF)
- U.S. Department of the Treasury
- Australian Cyber Security Centre (ACSC)
- Canadian Centre for Cyber Security (CCCS)
- United Kingdom’s National Cyber Security Centre (NCSC)
Exploiting Known Vulnerabilities
The threat actors are targeting a broad range of entities, including Australian, Canadian, and United Kingdom organizations and are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. Hackers targeting organizations in the U.K. are thought to be linked to the Yazd, Iran-based company Afkar System Yazd Company.
After gaining access to a network, the actors likely determine a course of action based on their perceived value of the data, the agencies said. The actors may sell the data or use the exfiltrated data in extortion operations or “double extortion” ransom operations, where the actor threatens to post the data on the open market if ransom demands are not met.
Iran government-linked hacking activity observed by the authoring agencies includes for incidents:
- In December 2021, the actors exploited ProxyShell vulnerabilities on a Microsoft Exchange server to gain access to the network of a U.S. police department.
- In December 2021, the actors exploited ProxyShell vulnerabilities on a Microsoft Exchange server to gain access to the network of a U.S. regional transportation company and disrupted the transportation company’s operations for an extended period.
- In February 2022, the actors exploited a Log4j vulnerability in a VMware Horizon application to gain access to the network of a U.S. municipal government.
- In February 2022, the actors may have exploited a Log4j vulnerability to gain access to the network of a U.S. aerospace company. The actors leveraged a server that the authoring agencies assess is associated with the IRGC-affiliated actors to exfiltrate data from the company's network.
Protecting Your Vulnerabilities
The agencies urge network defenders to prepare for and mitigate potential cyber threats immediately by implementing the following mitigations:
- Maintain offline (i.e., physically disconnected) backups of data, and regularly test backup and restoration. Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
- Activate BitLocker on all networks and securely back up BitLocker keys with Microsoft and with an independent offline backup.
- Create, maintain and exercise a basic cyber incident response plan that includes response procedures for a ransom incident.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (e.g., hard drive, storage device, the cloud).
- U.S. federal, state, local, tribal and territorial (SLTT) government and critical infrastructure organizations: Implement free CISA Cyber Hygiene Services Vulnerability Scanning to enable continuous scans of public, static IPs for accessible services and vulnerabilities.
- Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. Regularly check software updates and end-of-life notifications.
- Consider leveraging a centralized patch management system to automate and expedite the process. Immediately patch software affected by vulnerabilities identified in this advisory: CVE-2021- 34473, CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, CVE-2021-34523, CVE-2021- 31207, CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, CVE-2021-31196, CVE-2021- 31206, CVE-2021-33768, CVE-2021-33766, and CVE-2021-34470.
- Regularly evaluate and update blocklists and allowlists. If FortiOS is not used by your organization, add the key artifact files used by FortiOS to your organization’s execution blocklist. Prevent any attempts to install or run this program and its associated files.
- Implement network segmentation to restrict a malicious threat actor’s lateral movement.
- Audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties. Require administrator credentials to install software.
- Use multifactor authentication where possible, particularly for webmail, virtual private networks (VPNs), accounts that access critical systems, and privileged accounts that manage backups.
- Require all accounts with password logins to have strong, unique passwords.
- If you use RDP, restrict it to limit access to resources over internal networks. If RDP must be available externally, use a VPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before allowing RDP to connect to internal devices.
- Disable unused remote access/RDP ports.
- Monitor remote access/RDP logs, enforce account lockouts after a specified number of attempts (to block brute force campaigns), and log RDP login attempts.
- Install and regularly update antivirus and anti-malware software on all hosts.
- Only use secure networks.
- Consider installing and using a VPN for remote access.
