Iranian government sponsored cybercriminals are actively using known software vulnerabilities to attack critical infrastructure targets in Australia, government authorities have warned in urging businesses to close long-known security holes in their systems.

The warning – issued by the Australian Cyber Security Centre (ACSC) in conjunction with the US FBI, Cybersecurity and Infrastructure Security Agency (CISA), Canadian Centre for Cyber Security (CCCS), and UK National Cyber Security Centre (NCSC) among others – highlighted an ongoing campaign against Western targets that has been followed closely by national cyber authorities since May 2021.

Cybercrime groups – affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC) but working under the auspices of Iranian companies including Najee Technology Hooshmand Fater LLC and Afkar System Yazd Company – are targeting a range of known vulnerabilities in software including security vendor Fortinet’s Fortinet OS, Microsoft Exchange, and VMware Horizon Log4j weaknesses, the authorities concluded.

Rather than choosing victims for political or other motives, the ACSC and partners have concluded that the cyber criminals are trawling through Western businesses looking for companies that have not yet patched the vulnerabilities – leaving soft spots that are ripe for exploitation by ransomware and extortion operations.

The criminal groups are “exploiting known vulnerabilities on unprotected networks”, the ACSC advised, “rather than targeting specific targeted entities or sectors.”

“After gaining access to a network, the actors likely determine a course of action based on their perceived value of the data.... they may sell the data or use the exfiltrated data in extortion operations.... to pressure targeted entities to pay ransom demands.”

Ongoing scrutiny of the Iranian cyber criminals’ activities has helped government security specialists develop a detailed understanding of the techniques they are using, leading them to encourage businesses to prioritise fixes including patching vulnerabilities and prioritising known exploits; enforcing multi-factor authentication (MFA); and making offline backups of data.

The latest alert “serves as a direct reminder that threat actors of all types, from average cybercriminals to government-sponsored APT groups, continue to exploit legacy vulnerabilities to gain access into organisations despite the availability of patches for months or years,” said Satnam Narang, senior staff research engineer with security firm Tenable.

“This underscores the need for organisations to be more diligent about identifying vulnerable assets within their networks and applying available patches in a timely manner.”

Caught in the crossfire – or targets themselves?

With most companies expecting to suffer cybercriminal compromise and nation state-backed groups from China, Russia, Iran and elsewhere regularly caught with their hands in the proverbial cookie jar, complacency long ago stopped being an acceptable cyber security strategy for businesses whose increasing online exposure has opened them up to attack from anywhere in the world.

Security firm Crowdstrike, for one, has long tracked the activities of nation-state groups and has documented campaigns against Australian targets by threat actors based in North Korea, Eastern Europe, India, Russia, and elsewhere.

And while many of those groups are simply eager to amass financial rewards, their growing attention on critical infrastructure raises the spectre of disruptive and potentially crippling cyberattacks that could cause widespread societal damage.

The escalation of attacks by groups from Iran – which was a decade ago targeted by the Stuxnet critical infrastructure industrial malware – has been an ongoing trend, CISA has reported, with the IRGC working with private-sector contractors or its own specialists on a range of cyber campaigns.

The country “has exercised its increasingly sophisticated cyber capabilities to suppress certain social and political activity, and to harm regional and international adversaries,” CISA’s assessment said, noting that Iranian nation-state groups “continue to engage in conventional offensive cyber activities ranging from website defacement, spearphishing, DDoS, and theft of personally identifiable information, to more advanced activities.”

These include destructive malware, manipulation of social media, and, CISA warned, “potentially cyberattacks intended to cause physical consequences.”

Those consequences, Gartner last year warned, could include human fatalities by 2025 as malicious cyber criminals manipulate safety systems built into industrial operational technology (OT) systems.

Just as conventional businesses should act to patch potentially exploitable vulnerabilities as soon as possible, Gartner has advised companies with OT systems to ensure they implement 10 critical security controls to reduce their potential exposure to nation-state and other attacks.