US warns you to watch out for Iranian government-backed ransomware

Vulnerabilities that have already been fixed by Microsoft and Fortune are being widely exploited. US, British and Australian officials issued a warning on Wednesday

The joint consultation released Wednesday notes that a sophisticated persistent threat hacking group aligned with the Iranian government is exploiting vulnerabilities in Microsoft Exchange and FortiOS Fortune, which form the basis of the company's security offerings. All identified vulnerabilities have been fixed, but not all product users have installed updates. Advice was provided by the FBI, the US Cyber ​​Security and Infrastructure Agency, the UK National Cyber ​​Security Center and the Australian Center for Cyber ​​Security.

Wide Range of Targets

In this recommendation, it is stated that Iranian government-sponsored APT actors actively target a wide range of victims in many critical infrastructure sectors in the United States, including This includes the transportation and public healthcare sectors, as well as Australian organizations. The FBI, CISA, ACSC, and NCSC assess that actors focus on exploiting known vulnerabilities rather than targeting specific sectors. These APT representatives, backed by the Iranian government, can use this access for further operations, such as data mining or encryption, ransomware, and extortion. Fortinet vulnerabilities from at least March and Microsoft Exchange vulnerabilities at least as of October for initial access to systems. The hackers then launch other processes that include ransomware.

In May, attackers targeted an unnamed US municipality, where an account with the username "elie" may have been used for further hacking. They have created a vulnerable network. . One month later, they hacked into a hospital in the United States that specializes in children's health care. The latest attack likely involved Iran-related servers at 91.214.124 [.] 143, 162.55.137 [.] 20 and 154.16.192 [.] 70.


has been used. Microsoft Exchange vulnerabilities that give them initial access to systems before the next operation. Australian officials said they also discovered a group using a vulnerability in Exchange.

Beware of anonymous accounts

Hackers may create new accounts on domain controllers, they have set up servers and workstations. and active directories of the networks they have hacked. Some accounts seem to mimic existing accounts, so usernames often differ from target organization to target organization. The consultant said network security personnel should look for anonymous accounts with special consideration for usernames such as Support, Help, elie and WADGUtilityAccount.

The recommendation comes a day after Microsoft announced that calls to a pro-Iranian person had been grouped. Phosphorous is increasingly using ransomware to generate revenue or disrupt enemies. Microsoft added that the group was using "cruel offensive attacks" on targets, and had not installed security checks. CVE-2018-13379. This flaw allows hackers to collect explicit text credentials that are used to access remote servers. Phosphor has added over 900 Fortinet servers in the US, Europe and Israel.

READ MORE Microsoft has released a 4-day, 0-day emergency patch for Exchange. Recently, phosphorous has switched to scanning. For internal Exchange servers at risk of CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, a set of flaws is called ProxyShell. Microsoft fixed the vulnerabilities in March. "When they identified the servers at risk, phosphorous sought to stabilize the target systems," Microsoft said. In some cases, actors have downloaded a Plink Runner program called MicrosoftOutLookUpdater.exe. This file is sent periodically to their C2 servers via SSH, allowing the actors to issue more commands. Later, the actors downloaded a custom implant via a PowerShell command with Base64 code. The implant created stability in the victim's system by changing the boot registry keys, and eventually acted as a downloader for downloading additional tools.

US warns you to watch out for Iranian government-backed ransomware
us-warns-you-to-watch-out-for-iranian-government-backed.html Sonos app revealed an unannounced mini subwoofer

Sonos app revealed an unannounced mini subwoofer

A reference to a "smaller drum subwoofer" seen by a Reddit user.

Small spaces often mean poor sound. If you're like me and live in a cramped ... Best Cyber ​​Monday deals on Apple devices

Best Cyber ​​Monday deals on Apple devices

Apple participated in the Black Friday event and offered gift cards on many of its most popular devices.

... AirPower is alive, perhaps: Apple is still working on a three-device wireless charger

AirPower is alive, perhaps: Apple is still working on a three-device wireless charger

Apple may beat induction wireless charging pads for something better. AirPower, which has been canceled for a long time, is working.

... Two months later, Windows 11 is still in development

Two months later, Windows 11 is still in development

Features added and bug fixes, but no issues yet.

When we looked at Windows 11 about two months ago, it was clear that some parts of the opera... Here are the best Cyber ​​Monday deals under $60

Here are the best Cyber ​​Monday deals under $60

Including 4K players, board games, Fire HD tablets, microSD cards, and more. Let's go. Just because a deal might be worthwhile doesn't necessarily mea... One day, live 3D printer ink can be used to construct buildings in space

One day, live 3D printer ink can be used to construct buildings in space

A programmable ink made with E. coli can "regulate cell growth". A good robot in Super Mario Bros. - and even reptiles that can deform in humans. But ...