In July of 2022, it was discovered that Iranian state cyber actors had gained access to Albanian government environments and launched a ransomware attack. Now, in September, they’re at it again. The Iranian group launched another round of attacks looking very familiar to the first wave.
The actors used CVE-2019-0604, an internet-facing Microsoft SharePoint Vulnerability, to gain initial access. They then used RDP, SMB and FTP to move around the environment. The actors were able to compromise a Microsoft Exchange account to create another Exchange account and “add it to the Organization Management role group.” From there they were able to pull data from government email accounts. The actors were also able to connect to IP addresses belonging to the VPN. They encrypted the victim’s files and wiped disk drives.
The threat actors seemed to have gained access approximately 14 months prior to it being discovered in July of 2022. While sitting in the victim’s environment they were able to gain more and more access. This attack should sound all too familiar to what we have seen over the past few years. It seems to be a reoccurring theme for threat actors to hide out in networks waiting for the ideal opportunity to attack. So, what could the Albanian government have done to avoid this mess? Having a strong patching program in place to ensure vulnerabilities are taking care of as soon as possible and properly securing internet-facing network devices would have been a good place to start.
Threat actors are not just coming from a small group with minimal resources. These groups are being funded by governments with money and information that can help carry out successful cyberattacks. It’s all of our jobs to make it as difficult as possible for those attacks to be successful. Here is a LINK to the Joint Cybersecurity Advisory released by the FBI and CISA. The Advisory goes into more details on the methods used in the attacks and mitigation steps.
