Threats Feed|Unknown|Last Updated 22/12/2023|AuthorCertfa Radar|Publish Date19/11/2021

Iranian APT Group Exploits Microsoft and Fortinet Vulnerabilities: A Broad Spectrum Cyber Assault

  • Actor Motivations: Espionage,Exfiltration,Extortion,Financial Gain
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Ransomware
  • Attack Complexity: High
  • Threat Risk: High Impact/Low Probability

Threat Overview

Some Iranian government-sponsored APT groups have exploited vulnerabilities in Microsoft Exchange servers and Fortinet devices since March 2021. These actors broadly targeted critical infrastructure sectors in the US, including Transportation and Healthcare and Public Health, as well as Australian organizations. The APT group focused more on exploiting known vulnerabilities rather than specific sectors, using the gained access for ransomware deployment, data exfiltration, and extortion. Several tactics, techniques, and tools were utilized, including creating new user accounts and modifying Task Scheduler.

Detected Targets

TypeDescriptionConfidence
SectorLogistics
Verified
SectorHealthcare
Verified
RegionAustralia
Verified
RegionUnited States
Verified

Extracted IOCs

  • nosterrmann@mail[.]com
  • nosterrmann@protonmail[.]com
  • sar_addr@protonmail[.]com
  • wearehere@secmail[.]pro
  • 1444884faed804667d8c2bfa0d63ab13
  • 1a44368eb5bf68688ba4b4357bdc874f
  • 26f330dadcdd717ef575aa5bfcdbe76a
  • 91802a615b3a5c4bcc05bc5f66a5b219
  • 93a138801d9601e4c36e6274c8b9d111
  • aa40c49e309959fa04b7e5ac111bb770
  • af2d86042602cbbdcc7f1e8efa6423f9
  • b90f05b5e705e0b0cb47f51b985f84db
  • e64064f76e59dea46a0768993697ef2f
  • 5bd0690247dc1e446916800af169270f100d089b
  • 95e045446efb8c9983ebfd85e39b4be5d92c7a2a
  • c4160aa55d092cf916a98f3b3ee8b940f2755053
  • cdcd97f946b78831a9b88b0a5cd785288dc603c1
  • f1d90e10e6e3654654e0a677763c9767c913f8f0
  • fa36febfd5a5ca0b3a1b19005b952683a7188a13
  • 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa
  • 3a08d0cb0ff4d95ed0896f22f4da8755525c243c457ba6273e08453e0e3ac4c4
  • 40ed1568fef4c5f9d03c370b2b9b06a3d0bd32caca1850f509223b3cee2225ea
  • 4c691ccd811b868d1934b4b8e9ed6d5db85ef35504f85d860e8fd84c547ebf1d
  • 5c818fe43f05f4773ad20e0862280b0d5c66611bb12459a08442f55f148400a6
  • c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624
  • d7982ffe09f947e5b4237c9477af73a034114af03968e3c4ce462a029f072a5a
  • ed463da90504f3adb43ab82044cddab8922ba029511da9ad5a52b8c20bda65ee
  • 6451077b99c5f8ecc5c0ca88fe272156296beb91218b39ae28a086dba5e7e39813f044f9af0fedbb260941b1cd52fa237c098cbf4b2a822f08e3e98e934d0ecf
  • 6473dac67b75194deeaef37103bba17936f6c16ffcd2a7345a5a46756996fad748a97f36f8fd4be4e1f264ece313773cc5596099d68e71344d8135f50e5d8971
  • 70aa89449eb5da1d84b70d114ef9d24cb74751ce12d12c783251e51775c89fdce61b4265b43b1d613114d6a85e9c75927b706f39c576dbb036079c7e8caf28b2
  • e55a86159f2e869dcdb64fdc730da893718e20d65a04071770bd32cae75ff8c34704bdf9f72ef055a3b362759ede3682b3883c4d9bcf87013076638664e8078e
  • 154[.]16.192.70
  • 162[.]55.137.20
  • 91[.]214.124.143
download

Tip: 34 related IOCs (3 IP, 0 domain, 0 URL, 4 email, 27 file hash) to this threat have been found.

Overlaps

Ballistic BobcatBallistic Bobcat Exploits Microsoft Exchange Vulnerabilities to Compromise 34 Organizations

Source: ESET - September 2023

Detection (one case): 162[.]55.137.20

Cobalt MirageDrokbk Malware: A Tool for COBALT MIRAGE's Cyber Arsenal

Source: Secureworks - December 2022

Detection (three cases): 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa, 5bd0690247dc1e446916800af169270f100d089b, b90f05b5e705e0b0cb47f51b985f84db

PhosphorusStealth in the System: PHOSPHORUS Exploits Exchange Server in Infrastructure Sector Attack

Source: Deep Instinct - June 2022

Detection (one case): c51fe5073bd493c7e8d83365aace3f9911437a0f2ae80042ba01ea46b55d2624

Cobalt MirageCOBALT MIRAGE's Exploits: Targeting Israeli and Western Organizations

Source: Secureworks - May 2022

Detection (three cases): 28332bdbfaeb8333dad5ada3c10819a1a015db9106d5e8a74beaaf03797511aa, 5bd0690247dc1e446916800af169270f100d089b, b90f05b5e705e0b0cb47f51b985f84db

PhosphorusPowerLess Backdoor: Analyzing the Phosphorus Group's Cyber Espionage Tool

Source: Cybereason - February 2022

Detection (one case): 91[.]214.124.143

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.