Iran-based Cyber Actors Enabli... Note

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

The FBI, CISA, and DC3 warn of Iranian cyber actors exploiting US and foreign organizations for ransomware attacks. These actors leverage remote device vulnerabilities, such as CVE-2024-3400, CVE-2024-24919, and CVE-2023-3519, to gain initial network access. Once inside, they create accounts, disable security software, and escalate privileges. They collaborate with ransomware affiliates, including NoEscape, Ransomhouse, and ALPHV (aka BlackCat), to facilitate encryption operations. The FBI assesses these actors are state-sponsored and engage in espionage activities, including data theft, in support of the Government of Iran. Victims include organizations in the education, finance, healthcare, defense, and government sectors. Mitigations include patching vulnerable devices, implementing zero-trust policies, and monitoring network activity for suspicious behavior. If compromised, organizations should contact the FBI or report the incident to CISA.