CISA: Iranian Government-Sponsored Threat Actors Targeting Healthcare

November 17, 2021 - US cyber officials along with allies from Australia and the UK issued an advisory warning the healthcare and transportation sectors about an Iranian government-sponsored advanced persistent threat (APT) group that has been exploiting Microsoft Exchange ProxyShell and Fortinet vulnerabilities.

The FBI, along with the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) have observed the APT group exploiting Fortinet vulnerabilities since at least March 2021 and Microsoft Exchange vulnerabilities since at least October 2021.

The threat actors are known to focus on exploiting known vulnerabilities and subsequently leverage the access for data exfiltration or encryption, ransomware, and extortion.

“In March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591,” the advisory stated.

“The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks.”

In May, the same actors exploited a Fortigate appliance to access a webserver that hosted the domain for a US municipal government. The actors likely created an account with the username “elie” to further their malicious activity.

In June, the APT actors once again exploited a Fortigate appliance to access the environmental control networks of an unnamed US-based children’s hospital. CISA and the FBI said that the group accessed known user accounts at the hospital from an IP address that the agencies associate with the Iranian government.

In October 2021, the FBI and CISA observed the actors exploiting a Microsoft Exchange ProxyShell vulnerability. It is likely that the APT group also used this vulnerability to orchestrate attacks on Australian entities.

The FBI, CISA, ACSC, and NCSC recommend that organizations using Microsoft Exchange or Fortinet stay cautious and look for the following signs of suspicious activity:

• Search for IOCs. Collect known-bad IOCs and search for them in network and host artifacts. 
• Investigate exposed Microsoft Exchange servers (both patched and unpatched) for compromise. 
• Investigate changes to Remote Desktop Protocol (RDP), firewall, and Windows Remote Management (WinRM) configurations that may allow attackers to maintain persistent access. 
• Review domain controllers, servers, workstations, and active directories for new or unrecognized user accounts.
• Review Task Scheduler for unrecognized scheduled tasks. Additionally, manually review operating-system defined or recognized scheduled tasks for unrecognized “actions” (for example, review the steps each scheduled task is expected to perform).
• Review antivirus logs for indications they were unexpectedly turned off.
• Look for WinRAR and FileZilla in unexpected locations. 

To mitigate risk, the FBI, CISA, NCSC, and ACSC urged organizations to patch and update operating systems, evaluate and update blocklists and allowlists, and implement backup and restoration policies. In addition, organizations should implement network segmentation, work to secure all user accounts, implement multi-factor authentication, secure remote access, and use strong passwords.

For more information, see CISA's assessment and overview of the ongoing Iranian cyber threat.