According to the announcement, the currently discovered evidence shows that Iranian-backed attackers have been using the Fortinet vulnerability since at least March, and the Microsoft Exchange ProxyShell vulnerability since October to gain access to critical infrastructure organizations in the US transportation and public health departments, as well as those in Australia. organization. The purpose of hackers is ultimately to use this access right for follow-up actions, such as data penetration, blackmail and deployment of ransomware.
For example, in May of this year, hackers abused Fortigate equipment and accessed a web server hosting domain names for US municipal governments. In the following month, CISA and FBI observed that hackers used Fortinet’s vulnerabilities to access the network of a US hospital specializing in children’s health care.
The joint announcement was released together with Microsoft’s separate report on the evolution of Iran’s multiple APT (Advanced Persistent Threats) organizations. APT organizations are increasingly using ransomware to collect funds or disrupt their goals. In the report, Microsoft stated that it has been tracking six Iranian threat groups that have been deploying ransomware and exfiltrating data during the attack that began in September 2020.
Microsoft singled out a particularly “aggressive” organization, which it called Phosphorus, also known as APT35. The company has been tracking this organization for the past two years. Although it previously used spear-phishing emails to lure victims, including presidential candidates during the 2020 U.S. election, Microsoft said that the organization is now adopting social engineering strategies.WindowsThe built-in full disk encryption feature BitLocker to establish a good relationship with the victim before encrypting their files.