Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are aware of a widespread campaign from an Iran-based malicious cyber actor targeting several industries mainly associated with information technology, government, healthcare, financial, insurance, and media sectors across the United States.
The threat actor conducts mass scanning and uses tools, such as Nmap, to identify open ports. Once the open ports are identified, the threat actor exploits CVEs related to VPN infrastructure to gain initial access to a targeted network.
After gaining initial access to a targeted network, the threat actor obtains administrator-level credentials and installs web shells allowing further entrenchment. After establishing a foothold, the threat actor’s goals appear to be maintaining persistence and ex-filtrating data. This threat actor has been observed selling access to compromised network infrastructure in an online hacker forum. more
