The Cybersecurity and Infrastructure Security Agency (CISA) teamed up with the Federal Bureau of Investigation (FBI) to issue a joint warning of cyber-attacks emanating from Iran and targeting U.S. federal agencies and businesses.  These hackers target vulnerabilities in virtual private networks (VPNs), which organizations use to allow remote network access.  Once the hackers gain access through a VPN, they export data, sell access to the network, and have the ability to install ransomware.  This is the latest example of criminals exploiting vulnerabilities associated with the current remote working environment.

Coming on the tail of myriad other attacks during the COVID-19 pandemic, the FBI and CISA report that this ring of Iranian hackers are targeting companies and agencies in the government, healthcare, financial, insurance, and media sectors.  Alerts like this should come as no surprise to those in these industries since cybercriminals have historically associated them with potentially valuable information.  INTERPOL, the U.K’s National Cyber Security Centre (NCSC), and CISA previously issued warnings in April concerning an uptick in cybercriminal activity associated with the shift of work from offices to homes.  Similarly, the NCSC and CISA’s joint guidance warned of potential VPN vulnerabilities.  The NCSC and CISA issued an updated joint advisory in May that further highlighted new vulnerabilities resulting from the global shift to remote working.

Last week’s CISA/FBI notice did not identify victims of the Iranian attacks, but the alert confirms that some of the attacks were successful and describes how this threat actor operates.  First, the bad actors conducted “mass-scanning” to identify “open ports” and other vulnerabilities in VPN infrastructure.  After gaining access, these hackers would obtain administrator-level credentials to the network and install software to cover their tracks, allowing longer, undetected access.  The hackers would then export data and, according to the recent alert, have also been observed selling access to the infiltrated network, allowing the purchaser to install ransomware.

CISA and the FBI recommend a series of specific remedial steps to mitigate the chances of falling victim to one of these attacks, including patching VPN software, auditing patch management programs, closely monitoring network traffic, and using multi-factor authentication for all network access, among other measures.

These most recent attacks serve as yet another reminder that businesses need to ensure implementation and ongoing enhancement of technical safeguards for digital assets, as well as appropriate policies and procedures directed to incident avoidance, response, and mitigation.