US Says Iran-backed Hackers Are Now Targeting Organizations With Ransomware

The U.S. government, along with counterparts in Australia and the U.K, have warned that Iranian state-backed hackers are targeting U.S. organizations in critical infrastructure sectors -- in some cases with ransomware. From a report: The rare warning linking Iran with ransomware landed in a joint advisory Wednesday, issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the U.K's National Cyber Security Centre (NCSC). The advisory said that Iran-backed attackers have been exploiting Fortinet vulnerabilities since at least March and a Microsoft Exchange ProxyShell vulnerability since October to gain access to U.S. critical infrastructure organizations in the transport and public health sectors, as well as organizations in Australia. The aim of the hackers is ultimately to leverage this access for follow-on operations such as data exfiltration, extortion and ransomware deployment. In May this year, for example, the hackers abused Fortigate gear to access a web server hosting the domain for a U.S. municipal government. The following month, CISA and the FBI observed the hackers exploiting Fortinet vulnerabilities to access the networks of a U.S.-based hospital specializing in healthcare for children. The joint advisory has been released alongside a separate report from Microsoft on the evolution of Iranian APTs, which are "increasingly utilizing ransomware to either collect funds or disrupt their targets." In the report, Microsoft said it has been tracking six Iranian threat groups that have been deploying ransomware and exfiltrating data in attacks that started in September 2020.

Read more of this story at Slashdot.