Week of Monday, November 15, 2021 | Issue 52
Patrianna Napoleon, Counterintelligence and Cyber (CICYBER) Team
Date: November 17, 2021
Location: The United States (US), The United Kingdom (UK), Australia
Parties involved: The Federal Bureau of Investigation (FBI) Cybersecurity and Infrastructure Security Agency (CISA); Australian Cyber Security Centre (ACSC); UK’s National Cyber Security Centre (NCSC); US transportation and public health sector; Iranian government-sponsored Advanced Persistent Threat (APT) actors; Microsoft; Fortinet
The event: The US, the UK, and Australian cybersecurity agencies issued a joint warning for multiple US critical infrastructure sectors, including the US transportation and the public health sector. Iranian government-sponsored APT actors actively targeted organizations like Microsoft Exchange and Fortinet because of their system vulnerabilities. The APT group used a vulnerability located on a Microsoft Exchange ProxyShell to obtain initial access to transportation systems and their subsequent operations. The group exploits vulnerabilities as a gateway to hack into other networks like US-based hospitals that provide healthcare to children. The APT group controlled systems by using malicious attacks like ransomware and data extortion, allowing the group to hold electronic files until a ransom fee is paid. The APT group also used the organization's vulnerabilities’ CVE-2018-13379 to gain access to vulnerable networks. “CVE-2018-13379 is a Fortinet system path that allows an unauthenticated attacker to download system files.”
Organizations that rely on systems to run operations will likely lack sufficient tools to be protected against potential threats. Organizations that are not patching vulnerabilities will likely allow potential hackers to conduct malicious activity like spreading viruses in their networks. Cyber attackers like APT groups are likely to target vulnerable systems connected to government facilities to likely steal data from government-connected devices. Stolen data could likely spread misinformation about government operations and interrupt government services.
Cyber groups target high-profile organizations and enterprises by spreading malware to multiple systems of the organization and those connected to it, likely causing an interruption. Hackers will then take advantage and access company data. Hackers will likely use malicious techniques like sending phishing emails to companies unknowingly exposing sensitive data. Organizations and companies will likely be unable to operate standard business procedures to fix the vulnerabilities and recover from the attack. Enterprises unable to provide their services to clients are likely to negatively affect their revenues as clients will seek to purchase competitors’ services whose operation procedures are functional.
As APT groups attack organizations, their recruitment process will likely increase due to their hacking capabilities and the threat they pose to organizations. The group will likely collaborate with other hacking groups willing to expose government information for financial gain. Iranian APT groups will likely use hacking forums like raidforums that likely promote users to attack devices using stolen data and shut down websites. Hacking forums are likely exposing system vulnerabilities or leaking information for other data thieves.
Date: November 19, 2021
Location: The United States
Parties involved: The Federal Bureau of Investigation (FBI); FatPipe MPVPN networking devices; Unidentified Advanced Persistent Threat (APT) actor; Citrix
The event: The FBI disclosed an unidentified threat actor that exploited vulnerabilities in a FatPipe MPVPN Networking device to connect to vulnerable networks like Citrix. Citrix is a technology enterprise that specializes in networks and cloud services. FatPipe MPVPN is a virtual private network that secures data transmission faster by encrypting data over multiple connections for systems. FatPipe MPVPN prevents hackers from reading data as it travels to different systems and stealing confidential information. The vulnerability allowed the hacker to change system permissions, like administrative accounts, to upload a file to any location remotely from an infected device running software before the latest version. The hacker uploaded a malicious web shell exploit, enabling them to send a Hypertext Transfer Protocol (HTTP) request that disrupted company networks that use the MPVPN.
The vulnerability could likely impact companies’ reputation as consumers cannot access network services. Companies that cannot access networks will likely experience downtime from the spreaded malware, likely preventing them from running business operations. They will likely also have to use the companies’ income streams to respond to the attack, like recovering data loss. Consumers likely will be prevented from buying the affected company’s services after an attack due to the leak of personal information.
The impact of the attack could likely affect the US and other countries’ critical infrastructure. Infrastructures likely use affected systems like computers to connect to a network to run their services and produce products. Critical infrastructures like electrical grids and water supply could likely be offline to prevent further malicious activity on those systems. Companies like cargos that import goods throughout countries could likely be unable to meet supply chain demands as transportation services are offline.
Hackers will likely target companies who have not updated the latest software version that FatPipe released. Hackers could very likely use the vulnerabilities to access infected or vulnerable government devices lacking updates to retrieve confidential information. The state-sponsored hackers could likely leverage the confidential information to conduct successful cyberattacks by understanding the preventive measures conducted by the governments. Hackers will likely use the response plan to identify alternative ways to attack networks, allowing them to bypass security tools like the notification of suspicious activity.
Advanced persistent hackers are also likely to conduct an attack to obtain financial rewards for collaborating with nation-State-sponsored hackers who will likely pay a fee to access stolen data. State-sponsored hackers will likely use the system vulnerabilities to deploy ransomware, allowing them to demand a fee for the encrypted data. Advanced persistent hackers are also likely to retrieve finances from malware to convert them to digital currency. Digital currency will almost certainly allow them to purchase goods and services without being tracked.
Specialty reports are designed to inform clients of existing and emerging threats worldwide. To defeat terrorists and individuals intent on harming, it is critical to understand and investigate them. We collect and analyze intelligence on terrorists and extremists, their organizations, individuals who are threats, and their tactics and attacks to develop solutions to detect, deter, and defeat any act of terrorism or violence against our client. We also conduct investigations to identify persons of interest, threats, and determine the likelihood of a threat and how to stop them. To find out more about our products and services visit us at counterterrorismgroup.com.
________________________________________________________________________ The Counterterrorism Group (CTG)
 “Cyber” by The Digital Artist licensed under Pixabay
 Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities, Cybersecurity and Infrastructure Security Agency (CISA), November 2021, https://us-cert.cisa.gov/ncas/alerts/aa21-321a
 CVE-2018-13379 Detail, NIST, June 2021, https://nvd.nist.gov/vuln/detail/CVE-2018-13379
 Citrix, Citrix, n.d., https://www.citrix.com/
 FatPipe Inc MPVPN, FatPipe, n.d., https://www.fatpipeinc.com/products/mpvpn/index.php
 FBI Issues Flash Alert on Actively Exploited FatPipe VPN Zero-Day Bug, The Hacker News, November 2021, https://thehackernews.com/2021/11/fbi-issues-flash-alert-on-actively.html