Responsible organizations The most important U.S. infrastructure is in the ranks of Iran’s conspiracy theorists, who are taking advantage of the well-known threats to Microsoft and Fortinet businesses, U.S., UK, and Australian government officials warned Wednesday.
A connectivity technology published Wednesday said a security group affiliated with the Iranian government is exploiting the threats in Microsoft Exchange and Fortinet. FortiOS, which forms the basis for providing the security of the final company. All identified weaknesses has been patched, but not all users of the drug have posted the changes. The information was released by the FBI, the US Cybersecurity and Infrastructure Security Agency, the National Cyber Security Center of the UK, and the Australian Cyber Security Center.
Different Goals
“The APT Aided by the Iranian government is monitoring a number of victims in several parts of the US, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian agencies,” he said. “The FBI, CISA, ACSC, and NCSC monitor the players [that] they focus more on using known problems rather than on specific groups. APT aides supported by the Iranian government can use this opportunity to take action, such as data extraction or encryption, ransomware, and seizures. “
Pangiri said the FBI and CISA have seen the group exploit Fortinet threats since at least March with Microsoft Exchange Risks since October in order to find a way to get started. The spoilers then launch a series of activities that involve sending ransomware.
In May, the militants targeted unnamed U.S. municipalities, setting up an account with the name “elie” to upgrade a compromised network. One month later, he robbed a US hospital that operates a pediatric hospital. The last attack may have affected Iranian-connected servers on 91.214.124[.]143, 162.55.137[.]20, and 154.16.192[.]70.
Last month, APT players exploited the weaknesses of Microsoft Exchange which gave them the opportunity to get started before the system was implemented. Australian officials say they have also seen a group exploiting Exchange errors.
Beware of Unidentified User Accounts
Obera may have created new accounts for managing domains, servers, workplaces, and networks that have disrupted them. Some accounts seem to parallel existing accounts, so the login names are usually different from the group you want to go to. The agency said online security services should search for anonymous accounts that have a special interest in names such as Support, Help, elie, and WADGUtilityAccount.
The technology comes a day after Microsoft reports that an Iranian-affiliated group called Phosphorus is heavily using ransomware to make money or disrupt enemies. The group uses “cruelty” for purposes, Microsoft added.
Earlier this year, Microsoft said, Phosphorus analyzed millions of IP addresses in search of FortiOS machines that had not yet implemented the CVE-2018-13379 security updates. This problem enabled hackers to access sensitive information that could be used to access remote servers. Phosphorus completed the collection of information from over 900 Fortinet servers in the US, Europe, and Israel.
Recently, Phosphorus altered the analysis of high-risk areas of CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a series of bugs called ProxyShell. . Microsoft corrected weaknesses in March.
“Once they identified the servers at risk, Phosphorus did its best to keep the machines going,” Microsoft said. “In some cases, actors downloaded Plink’s athlete MicrosoftOutLookUpdater.exe. The file appears periodically on their C2 servers via SSH, allowing the players to issue certain commands. Afterwards, the actors downloaded the default setting via the Base64-encoded PowerShell command. This installation set the tone for the tort machines by changing the initial registration keys and eventually acted as a trigger to download other devices. ”
Identifying Precious Goals
The Microsoft blog post also stated that, given the opportunity to persevere, hackers have tested hundreds of victims to find out what they really like about the results. Obera created local accounts with the username “help” and password “_AS_ @ 1394.” In some cases, actors lost LSASS in order to obtain licenses that would be used later.
Microsoft also claims that it has seen the company use Microsoft’s BitLocker full-disk encryption interface, which was designed to protect data and prevent malicious software from operating.