FBI and CISA warn of Iran-based ransomware attacks

Iran-based cybercriminals are partnering with known cyber gangs to deploy ransomware on US industries.  

The big picture: A group of Iran-based cyber actors is actively exploiting vulnerabilities in US organizations across multiple sectors, collaborating with ransomware affiliates to extort victims. 

Driving the news: The FBI, CISA, and the Department of Defense Cyber Crime Center (DC3) released a joint Cybersecurity Advisory warning of ongoing cyber attacks by Iranian-based actors against US and foreign organizations. 

• The attacks target education, finance, healthcare, defense sectors, and local government entities. 

• Actors exploit vulnerabilities in network devices from Citrix, F5, Pulse Secure, and others. 

• The group collaborates with ransomware affiliates including NoEscape, Ransomhouse, and ALPHV (BlackCat).

Zoom in: The Iranian cyber group’s tactics include: 

• Exploiting public-facing networking devices using known vulnerabilities 

• Creating backdoors and webshells for persistence 

• Using stolen credentials to access other parts of victim networks 

• Collaborating with ransomware affiliates to encrypt victim data and extort payments 

Reality check: While some activities support Iranian government interests, the ransomware operations likely aren’t sanctioned by the government. 

• The actors use the cover company name “Danesh Novin Sahand” for their activities. 

• They’ve been active since at least 2017, with recent activity observed in August 2024. 

What’s next: The FBI recommends organizations: 

• Review logs for suspicious IP addresses provided in the advisory 

• Apply patches for known vulnerabilities in network devices 

• Check systems for indicators of compromise, including specific usernames and tools 

Go deeper: Read the full advisory here. Read more on how to build resilient cybersecurity approaches here.