The Cybersecurity and Infrastructure Security Agency, FBI and cybersecurity agencies of Australia and the U.K. are warning that an advanced persistent threat group that has ties to the government of Iran is exploiting Microsoft Exchange ProxyShell and Fortinet vulnerabilities to gain access to networks of critical infrastructure organizations.
The Iranian government-backed APT group is targeting organizations in transportation, health care and public health sectors and is using initial access to deploy ransomware, exfiltrate data and conduct other follow-on operations, the agencies said Wednesday.
A joint advisory from the agencies listed several tactics, tools and techniques APT actors use to secure initial access into organizations’ systems.
The agencies are urging network defenders to patch and update systems, enforce backup and restoration procedures and policies, implement multifactor authentication and network segmentation, reduce risk of phishing and secure remote access, among other mitigation measures.
