The U.S. Cybersecurity and Infrastructure Security Agency and Microsoft witnessed a massive surge of Iranian state-sponsored cyberattacks against IT services firms. In the wake of the findings, the tech giant and the eminent law enforcement body sent out alerts regarding the same.
In 2020, the cyberattacks from state-sponsored Iranian threat actors on IT services firms were virtually non-existent, however, in 2022 the cybercrimes exceeded to 1,500, said Microsoft.
"Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks," Microsoft added.
According to the report, the group was tracked as Phosphorus (aka Charming Kitten or APT35), compromising IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers to gain access.
Additionally, the organizations believed that an advanced persistent threat (APT) group sponsored by the Iranian government was using known vulnerabilities in both Microsoft Exchange and Fortinet to attack both government and private sector networks.
"FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021 and Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware. ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia," reads the report.
Nation-state operators with nexus to Iran are becoming more advanced and familiar with cyberattacks to generate revenue, they are also engaging in persistent social engineering campaigns and aggressive brute force attacks.
Researchers from Microsoft Threat Intelligence Center (MSTIC) revealed that “these ransomware deployments were launched in waves every six to eight weeks on average.”
"The Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple U.S. critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health sector, as well as Australian organizations," CISA said.
As per the findings, the hackers systematically target prominent IT services firms worldwide including nations like the USA, the UK, United Arab Emirates, India, and so on. Microsoft further added that these attacks are examples of how nation-state actors are increasingly targeting supply chains as an indirect approach to fulfill their real motives.
