Transnational cybersecurity advisory warns of Iranian’s IRGC-affiliated hackers exploiting vulnerabilities

A global cybersecurity advisory (CSA) has been issued that highlights continued malicious cyber activity by advanced persistent threat (APT) hackers affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). The advisory reveals these IRGC-affiliated cyber attackers continue to exploit known vulnerabilities on unprotected networks to extort and ransom victims, including U.S. critical infrastructure organizations.

“This advisory updates joint CSA Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, which provides information on these Iranian government-sponsored APT actors exploiting known Fortinet and Microsoft Exchange vulnerabilities to gain initial access to a broad range of targeted entities in furtherance of malicious activities, including ransom operations,” wrote in the CSA released on Wednesday. 

The advisory has been authored by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S. Cyber Command (USCC) – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), and the United Kingdom’s National Cyber Security Centre (NCSC). 

The NSA and its partners recommend that organizations, especially those with ties to critical infrastructure networks, use the guidance to mitigate risk of compromise. A patch has been released for each vulnerability identified in the advisory and the most effective mitigation is to patch and update operating systems, software and firmware, the agency added.

Apart from exploiting Fortinet and Microsoft Exchange vulnerabilities, the global agencies have observed these APT hackers exploiting VMware Horizon Log4j vulnerabilities CVE-2021-44228 (Log4Shell), CVE-2021-45046, and CVE-2021-45105 for initial access. Last month, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team said that Iran-based threat group Mercury has been exploiting Log4j 2 vulnerabilities in SysAid applications across Israeli organizations.

The CSA came on the same day as the announcement by the Department of Justice that three Iranian nationals were charged with engaging in computer intrusions and ransomware-style extortion against U.S. critical infrastructure providers.

The global agencies assess that the hackers are exploiting known vulnerabilities on unprotected networks rather than targeting specific targeted entities or sectors. The advisory provides observed tactics, techniques and indicators of compromise (IOCs), that the global agencies assess are likely associated with the IRGC-affiliated APT. Additionally, the agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of the advisory to mitigate risk of compromise from these IRGC- affiliated hackers.

The advisory evaluated that the IRGC-affiliated hackers have used malicious and legitimate tools for a variety of tactics across the enterprise spectrum. These tools include Fast Reverse Proxy (FRP) for command and control (C2), plink for C2, remote desktop protocol (RDP) for lateral movement, BitLocker for data encryption, and SoftPerfect Network Scanner for system network configuration discovery.

The IRGC is an Iranian Government agency tasked with defending the Iranian Regime from perceived internal and external threats. These hackers have actively targeted various entities, including multiple U.S. critical infrastructure sectors, as well as Australian, Canadian, and U.K. organizations. 

“These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran,” the advisory identified. 

The global agencies “observed Iranian government-sponsored APT actors scanning for and/or exploiting the following known Fortinet FortiOS and Microsoft Exchange server vulnerabilities since early 2021 to gain initial access to a broad range of targeted entities: CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, and CVE-2021-34473 (a ProxyShell vulnerability),” the advisory said. Furthermore, they have also observed these APT actors leveraging CVE-2021-34473 against U.S. networks in combination with ProxyShell vulnerabilities CVE-2021-34523 and CVE-2021-31207. 

The advisory revealed that in February this year, the IRGC-affiliated hackers exploited a Log4j vulnerability in a VMware Horizon application to gain access to the network of a U.S. municipal government, move laterally within the network, establish persistent access, initiate crypto-mining operations, and conduct additional malicious activity. 

Around the same time, the hackers may have exploited a Log4j vulnerability to gain access to the network of a U.S. aerospace company, the advisory said. “The actors leveraged a server that the authoring agencies assess is associated with the IRGC-affiliated actors to exfiltrate data from the company’s network,” it added. 

Last December, “the actors exploited ProxyShell vulnerabilities (likely CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) on a Microsoft Exchange server to gain access to the network of a U.S. police department,” the advisory disclosed. The hackers used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom, it added.

The IRGC-affiliated hackers exploited in December ProxyShell vulnerabilities on a Microsoft Exchange server to gain access to the network of a U.S. regional transportation company. “The actors used their access to move laterally within the network, encrypt network devices with BitLocker, and hold the decryption keys for ransom. This activity disrupted the transportation company’s operations for an extended period,” the advisory added.

The NCSC judges that Yazd, Iran-based company Afkar System Yazd Company is actively targeting U.K. organizations, the advisory said. Additionally, ACSC judges that these APT actors have used CVE-2021-34473 in Australia to gain access to systems. The APT hackers can leverage access for further malicious activities, including deployment of tools to support ransom and extortion operations, and data exfiltration, it added. 

Since the activity was reported in 2021, these IRGC-affiliated actors have continued to exploit known vulnerabilities for initial access, the advisory said. These hackers have used their access for ransom operations, including disk encryption and extortion efforts. After gaining access to a network, the IRGC-affiliated actors likely determine a course of action based on their perceived value of the data. 

The advisory said that depending on the perceived value, the hackers may encrypt data for ransom and/or exfiltrate data. Furthermore, the hackers may sell the data or use the exfiltrated data in extortion operations or ‘double extortion’ ransom operations where a threat actor uses a combination of encryption and data theft to pressure targeted entities to pay ransom demands. 

The global agencies call upon network defenders, including critical infrastructure owners and operators, to prepare for and mitigate potential cyber threats immediately. They must keep systems and software updated and prioritize remediating known exploited vulnerabilities, enforce multi-factor authentication (MFA), and make offline backups of data. Additionally, organizations can implement network segmentation to restrict a malicious threat actor’s lateral movement. 

The advisory also called upon organizations to audit user accounts with administrative privileges and configure access controls under the principles of least privilege and separation of duties. It also recommends requiring administrator credentials to install software. 

In addition to applying mitigations, the global agencies also recommend exercising, testing, and validating an organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. “The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory,” it added.

Commenting on the CSA, Satnam Narang, senior staff research engineer at Tenable said in an emailed statement that the alert serves as a direct reminder that threat actors of all types, from average cybercriminals to government-sponsored APT groups continue to exploit legacy vulnerabilities in order to gain access into organizations despite the availability of patches for months or years. 

“This underscores the need for organisations to be more diligent about identifying vulnerable assets within their networks and applying available patches in a timely manner,” Narang said. “For organisations that have yet to apply the patches for these vulnerabilities, the advisory also provides a list of indicators of compromise that can be used to help in incident response activities to determine potential impact,” he added.

Last week, the U.S. and U.K. governments condemned the Iranian state for a series of cyber attacks on government infrastructure in Albania that destroyed data and disrupted essential government services. The attacks were executed by Iranian state-linked hackers, who affected essential government services, including paying utilities, booking medical appointments, and enrolling schoolchildren, causing a significant impact on online public services and other government websites.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.