Joint cybersecurity advisory warns of attacks from Iran

Health
By Liam

According to a new advisory from the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, and the Department of Defense Cyber ​​Crime Center, a specific group of Iranian cyber actors has made numerous attempts to compromise the computer networks of U.S. organizations since 2017 and as recently as August.

The group – known as Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM and Lemon Sandstorm – has partnered with ransomware gangs like ALPHV, also known as BlackCat, a group responsible for numerous cyberattacks against the healthcare industry.

WHY IT IS IMPORTANT

This group of Iranian threat actors calls itself “Br0k3r” and, as of 2024, “xplfinder,” the agencies said. joint advice.

While the FBI has observed Iranian threats tied to hacking and leak campaigns in the past, the agency recently determined that this group is working directly with ransomware affiliates ALPHV, NoEscape, and Ransomhouse.

In addition to offering full domain control privileges, Iranian cyber actors work closely with ransomware affiliates to lock down victim networks and determine their extortion strategies. Their goals include enabling encryption operations in exchange for a percentage of ransom payments, the agencies said.

According to the warning, the attackers do not provide their location to contacts involved in the ransomware and remain deliberately vague about their nationality and origin.

According to the agencies, these actors have been observed since July “scanning IP addresses hosting Check Point Security Gateways, looking for devices potentially vulnerable to CVE2024-24919.”

Since April, cybercriminals have been conducting mass scanning of IP addresses hosting Palo Alto Networks PAN-OS and GlobalProtect VPN devices. They have likely been conducting reconnaissance and searching for devices vulnerable to remote code execution.

The technical details supplement and update an earlier advice on VPN Vulnerability Exploitations in Iran which the FBI and CISA first published in 2020.

The agencies advise organizations to follow the suggested measures to defend themselves against attempts by Iranian cyber actors to gain a foothold in their networks.

“These measures are aligned with the Cross-Sector Cybersecurity Performance Goals developed by CISA and the National Institute of Standards and Technology,” they noted.

THE BIGGER TREND

Earlier this year, the FBI, CISA, and the Department of Health and Human Services revised their joint ALPHV Blackcat cybersecurity alert to address emerging indicators of breaches in the healthcare sector.

“Since mid-December 2023, the healthcare sector has been the most frequently affected of the nearly 70 leaked victims,” the researchers said.

While the FBI claimed to have seized the darknet website and infrastructure of Russian-based ALPHV late last year, the ransomware group claimed to have stolen 6 trillion bytes of data from Change Healthcare following the payment processing giant’s monumental attack and subsequent outage in February.

ON THE RECORD

“Iranian cyber actors’ initial intrusions have relied on exploiting remote services on internet-facing assets to gain access to victims’ networks,” FBI and CISA officials said in the advisory.

Andrea Fox is Editor-in-Chief of Healthcare IT News.
Email address: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.

The HIMSS Healthcare Cybersecurity Forum is scheduled for October 31-November 1 in Washington, DC More information and registration.

You might also like More from author