US, UK, Australia chase Iran for use of FordNet, exchange holes

Authorities in the United States, the United Kingdom and Australia have asked executives to immediately suspend the four attacks, CVE-2021-34473, 2020-12812, 2019-5591 and 2018-13379, following some attacks used by Iran attackers.

“The FBI and CISA have observed that this Iranian government-backed APT group has been using FordNet’s vulnerabilities, at least since March 2021, and Microsoft Exchange’s ProxyShell vulnerabilities since October 2021. Activities involving the deployment of ransomware, a Joint news release.

“The Australian Cyber ​​Security Center is also aware that this APT group has used the Microsoft Exchange vulnerability in Australia.”

Instead of attacking a specific sector of the economy, officials said the attackers would focus on exploiting vulnerabilities if possible and trying to change that initial access to data leakage, ransomware attack or extortion after the operation.

Using holes in Fortinet and Exchange for access, attackers added tasks to the Windows Task Scheduler and created new accounts on domain controllers and other systems to maintain access. The next step is to run BitLocker, leave the recovery note and retrieve the data via FTP.

In April, the FBI and the CISA Issued warnings With regard to the vulnerabilities in the seriously exploited Fortinet equipment, the authorities informed Fortinet The first 30 vulnerabilities were exploited In July.

Separately, on Wednesday, Microsoft issued its own warning Six Iranian groups used vulnerabilities in only one pair of products to distribute ransomware.

Also known as proxieshell, cited transmission vulnerabilities Was initially exploited By Beijing-backed pirates.

Source: “ZDNet.com”

See also  UK donates new doses of Covid-19 vaccine to DRC to meet first-time vaccine requirements

Leave a Reply

Your email address will not be published. Required fields are marked *