This appeared last week:
https://healthitsecurity.com/news/cisa-iranian-government-sponsored-threat-actors-targeting-healthcare
CISA: Iranian Government-Sponsored Threat Actors Targeting Healthcare
The US and its allies are warning healthcare entities about Iranian government-sponsored threat actors targeting Microsoft Exchange and Fortinet vulnerabilities.
By Jill McKeon
November 17, 2021 - US cyber officials along with allies from Australia and the UK issued an advisory warning the healthcare and transportation sectors about an Iranian government-sponsored advanced persistent threat (APT) group that has been exploiting Microsoft Exchange ProxyShell and Fortinet vulnerabilities.
The FBI, along with the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) have observed the APT group exploiting Fortinet vulnerabilities since at least March 2021 and Microsoft Exchange vulnerabilities since at least October 2021.
The threat actors are known to focus on exploiting known vulnerabilities and subsequently leverage the access for data exfiltration or encryption, ransomware, and extortion.
“In March 2021, the FBI and CISA observed these Iranian government-sponsored APT actors scanning devices on ports 4443, 8443, and 10443 for Fortinet FortiOS vulnerability CVE-2018-13379, and enumerating devices for FortiOS vulnerabilities CVE-2020-12812 and CVE-2019-5591,” the advisory stated.
“The Iranian Government-sponsored APT actors likely exploited these vulnerabilities to gain access to vulnerable networks.”
In May, the same actors exploited a Fortigate appliance to access a webserver that hosted the domain for a US municipal government. The actors likely created an account with the username “elie” to further their malicious activity.
In June, the APT actors once again exploited a Fortigate appliance to access the environmental control networks of an unnamed US-based children’s hospital. CISA and the FBI said that the group accessed known user accounts at the hospital from an IP address that the agencies associate with the Iranian government.
In October 2021, the FBI and CISA observed the actors exploiting a Microsoft Exchange ProxyShell vulnerability. It is likely that the APT group also used this vulnerability to orchestrate attacks on Australian entities.
……
To mitigate risk, the FBI, CISA, NCSC, and ACSC urged organizations to patch and update operating systems, evaluate and update blocklists and allowlists, and implement backup and restoration policies. In addition, organizations should implement network segmentation, work to secure all user accounts, implement multi-factor authentication, secure remote access, and use strong passwords.
For more information, see CISA's assessment and overview of the ongoing Iranian cyber threat.
More here:
I am not sure what we have done to attract Iranian attention but whatever, the advice on what to do about such attacks is as relevant as ever. It really seems that individual patient data has a strong attraction for evil-actors – I guess because it facilitates identity theft and the associated profits, although the article offers a number of malevolent other reasons.
We all need to remain alert if not alarmed!
David.
Must be budget submission season, but of scaremongering always helps the business case
ReplyDelete