[CDP-development] CISA, FBI, NSA, Treasury, Cyber Command, and International Partners Publish Cyber Advisory on Iranian Affiliated Actors Ransom Operations

Masse, Theresa theresa.masse at cisa.dhs.gov
Wed Sep 14 08:53:20 PDT 2022 

FYSA



The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), U.S. Cyber Command - Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC) released a joint Cybersecurity Advisory<https://www.cisa.gov/uscert/ncas/current-activity/2022/09/14/iranian-islamic-revolutionary-guard-corps-affiliated-cyber-actors> (CSA) with technical details on cyber activity by advanced persistent threat (APT) actors assessed to be affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). This advisory is an update to our 2021 joint CSA on Iranian government-sponsored APT actors exploiting Microsoft Exchange and Fortinet vulnerabilities<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a>.



As recently as February 2022, these APT actors has been observed exploiting VMware Horizon® Log4j vulnerabilities for initial access. This is in addition to their exploit of known Fortinet® and Microsoft Exchange® vulnerabilities that were reported in our 2021 CSA and in the FBI Liaison Alert System (FLASH) report APT Actors Exploiting Fortinet Vulnerabilities to Gain Access for Malicious Activity<https://www.ic3.gov/Media/News/2021/210527.pdf> from May 2021. Also, this CSA provides additional malicious and legitimate tools being used by these actors as well as additional indicators of compromise (IOCs) observed as recently as March 2022 that can help organizations detect this activity.



The agencies assess that multiple critical infrastructure sectors and organizations in the U.S., as well as in the United Kingdom, Australia, and Canada, are being actively targeted. The IRGC-affiliated APT actors have been observed scanning for and/or exploiting the known vulnerabilities on unprotected networks rather than specific entities or sectors. After gaining access to a network, the APT actors likely determine a course of action based on their perceived value of the data, which could lead them to encrypting data for ransom and/or exfiltrating data.



In addition to enforcing multifactor authentication, making offline backups of your data, securing remote desktop protocol (RDP), and other recommended mitigations, the agencies encourage organizations to immediately patch software affected by vulnerabilities identified in the latest advisory. Those specific common vulnerabilities and exposures (CVE) to patch are:



Microsoft Exchange ProxyShell

VMware Horizon / Log4j

Fortinet FortiOS

Microsoft Exchange

CVE-2021-34473

CVE-2021-44228

CVE-2018-13379

CVE-2021-31196

CVE-2021-34523

CVE-2021-45046

CVE-2020-12812

CVE, 2021-31206

CVE-2021-31207

CVE-2021-45105

CVE-2019-5591

CVE-2021-33768







CVE-2021-33766







CVE-2021-34470



Also, organizations are recommended to validate or test their existing security controls to assess how they perform against the adversarial behavior (i.e., MITRE ATT&CK techniques) described in this advisory.



In this new CSA<https://www.cisa.gov/uscert/ncas/alerts/a22-257a>, the Iranian APT exploit activity reported in our 2021 CSA<https://www.cisa.gov/uscert/ncas/alerts/aa21-321a> is now assessed to be by APT actors affiliated with the IRGC, an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats.



All organizations are encouraged to review the CSA for complete details on this ongoing threat and recommended mitigations. Organizations are reminded that in September 2021 Treasury issued an advisory<https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf> highlighting the sanctions risk associated with ransomware payments and providing steps that can be taken by companies to mitigate risk being a victim of ransomware.


Theresa A. Masse
Cyber Security Advisor, Region 10 (Oregon)
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
Phone: (503) 930-5671
Email: theresa.masse at cisa.dhs.gov<mailto:theresa.masse at cisa.dhs.gov>

[cid:image002.png at 01D8C817.5D27EBD0]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220914/35c64972/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 16152 bytes
Desc: image002.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20220914/35c64972/attachment-0001.png>

More information about the CDP-development mailing list