FBI and CISA have observed an Iranian government-sponsored APT group that are exploiting vulnerabilities to gain access to systems. The APT group has exploited the same Microsoft Exchange vulnerability in Australia.
Background / What has happened?
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have observed an Iranian government-sponsored advanced persistent threat (APT) group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.
The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations. FBI, CISA, and ACSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion.
Mitigation / How do I stay secure?
The FBI, CISA, ACSC, and NCSC have published an advisory that provides observed tactics and techniques, as well as indicators of compromise (IOCs). The FBI, CISA, ACSC, and NCSC urge critical infrastructure organizations to apply the recommendations listed in the Mitigations section of the advisory to mitigate risk of compromise from Iranian government-sponsored cyber actors.
Assistance / Where can I go for help?
ACSC can provide tailored cyber security advice and assistance, reporting, and incident response support at via 1300 292 371 (1300 CYBER1).