Iranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault
- Actor Motivations: Espionage,Exfiltration,Extortion,Financial Gain
- Attack Vectors: Vulnerability Exploitation,Backdoor,Ransomware
- Attack Complexity: High
- Threat Risk: High Impact/Low Probability
Threat Overview
Some Iranian government-sponsored APT groups have exploited vulnerabilities in Microsoft Exchange servers and Fortinet devices since March 2021. These actors broadly targeted critical infrastructure sectors in the US, including Transportation and Healthcare and Public Health, as well as Australian organizations. The APT group focused more on exploiting known vulnerabilities rather than specific sectors, using the gained access for ransomware deployment, data exfiltration, and extortion. Several tactics, techniques, and tools were utilized, including creating new user accounts and modifying Task Scheduler.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Logistics | Verified |
| Sector | Healthcare | Verified |
| Region | Australia | Verified |
| Region | United States | Verified |
Extracted IOCs
- nosterrmann@mail[.]com
- nosterrmann@protonmail[.]com
- sar_addr@protonmail[.]com
- wearehere@secmail[.]pro
- 1444884faed804667d8c2bfa0d63ab13
- 1a44368eb5bf68688ba4b4357bdc874f
- 26f330dadcdd717ef575aa5bfcdbe76a
- 91802a615b3a5c4bcc05bc5f66a5b219
- 93a138801d9601e4c36e6274c8b9d111
- aa40c49e309959fa04b7e5ac111bb770
- af2d86042602cbbdcc7f1e8efa6423f9
- b90f05b5e705e0b0cb47f51b985f84db
- e64064f76e59dea46a0768993697ef2f
- 5bd0690247dc1e446916800af169270f100d089b
- 95e045446efb8c9983ebfd85e39b4be5d92c7a2a
- c4160aa55d092cf916a98f3b3ee8b940f2755053
- cdcd97f946b78831a9b88b0a5cd785288dc603c1
- f1d90e10e6e3654654e0a677763c9767c913f8f0
- fa36febfd5a5ca0b3a1b19005b952683a7188a13
- 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa
- 3a08d0cb0ff4d95ed0896f22f4da8755525c243c457ba6273e08453e0e3ac4c4
- 40ed1568fef4c5f9d03c370b2b9b06a3d0bd32caca1850f509223b3cee2225ea
- 4c691ccd811b868d1934b4b8e9ed6d5db85ef35504f85d860e8fd84c547ebf1d
- 5c818fe43f05f4773ad20e0862280b0d5c66611bb12459a08442f55f148400a6
- c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624
- d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a
- ed463da90504f3adb43ab82044cddab8922ba029511da9ad5a52b8c20bda65ee
- 6451077b99c5f8ecc5c0ca88fe272156296beb91218b39ae28a086dba5e7e39813f044f9af0fedbb260941b1cd52fa237c098cbf4b2a822f08e3e98e934d0ecf
- 6473dac67b75194deeaef37103bba17936f6c16ffcd2a7345a5a46756996fad748a97f36f8fd4be4e1f264ece313773cc5596099d68e71344d8135f50e5d8971
- 70aa89449eb5da1d84b70d114ef9d24cb74751ce12d12c783251e51775c89fdce61b4265b43b1d613114d6a85e9c75927b706f39c576dbb036079c7e8caf28b2
- e55a86159f2e869dcdb64fdc730da893718e20d65a04071770bd32cae75ff8c34704bdf9f72ef055a3b362759ede3682b3883c4d9bcf87013076638664e8078e
- 154[.]16.192.70
- 162[.]55.137.20
- 91[.]214.124.143
Tip: 34 related IOCs (3 IP, 0 domain, 0 URL, 4 email, 27 file hash) to this threat have been found.
Overlaps
Source: ESET - September 2023
Detection (one case): 162[.]55.137.20
Source: Secureworks - December 2022
Detection (three cases): 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa, 5bd0690247dc1e446916800af169270f100d089b, b90f05b5e705e0b0cb47f51b985f84db
Source: Deep Instinct - June 2022
Detection (one case): c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624
Source: Secureworks - May 2022
Detection (three cases): 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa, 5bd0690247dc1e446916800af169270f100d089b, b90f05b5e705e0b0cb47f51b985f84db
Source: Cybereason - February 2022
Detection (one case): 91[.]214.124.143
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.