Security experts are warning administrators to be on the lookout following a recent outbreak in cyber attacks launched by Iranian-backed hacking groups.
The U.S. Cybersecurity and Infrastructure Security Agency said in an alert Wednesday that an advanced persistent threat (APT) crew believed to be sponsored by the Iranian government was using known vulnerabilities in both Microsoft Exchange and Fortinet to go after both government and private sector enterprise networks.
“The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the transportation sector and the Healthcare and public health sector, as well as Australian organizations,” CISA warned in the alert.
“FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.”
According to CISA, this particular group has been active since March, when they began targeting networks using exploits for Fortinet’s FortiOS. By October, the hackers had moved on to targeting the Exchange ProxyShell vulnerability.
Both sets of bugs have been patched, and CISA urged administrators to test and install the fixes as soon as possible in order to protect their networks from attack.
Microsoft reports IT providers also targeted
Meanwhile, Microsoft said in an advisory Thursday that its security teams have been logging an uptick in attacks from Iranian-backed APTs against companies that provide IT services.
The tech giant said that so far this year it has had to deliver 40 IT service providers upwards of 1,600 notifications of attacks from Iran-backed APTs. By comparison, Microsoft only had to deliver 40 such advisories all of last year.
The researchers believe the IT providers are being attacked in an effort to gain access to their clients in valuable markets and government sectors.
“This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain,” the advisory said. “Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks. “
In a separate report earlier this week, Microsoft noted that Iranian APT groups are also becoming more sophisticated in their techniques for infiltrating networks. While the hackers used to rely solely on brute-force exploits to get at their targets, more subtle tactics, most notable social engineering, are now being employed.
This, Microsoft said, is an indication that the hacking crews are perhaps better-equipped and experienced than before.
“Microsoft Threat Intelligence Center has observed PHOSPHORUS threat actors employing social engineering to build rapport with their victims before targeting them,” the report said. “These operations likely required significant investment in the operator’s time and resources to refine and execute.”