CISA warns of Iranian cyberthreat actors targeting healthcare

Iran-based cyberthreat actors have been exploiting U.S. and foreign organizations across various sectors, including healthcare, a joint cybersecurity advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Defense Cyber Crime Center warned.

The advisory focused on known cyberthreat actors, such as Pioneer Kitten, UNC757, Parisite, Rubidium and Lemon Sandstorm. The FBI observed these groups targeting organizations across the education, healthcare, defense and finance sectors, as well as local government entities. The groups have also exploited organizations in other countries, including Azerbaijan, the United Arab Emirates and Israel.

The authoring entities stated that a "significant percentage" of the threat actors' operations against U.S. organizations are intended to develop network access and later collaborate with affiliate actors to deploy ransomware.

"The actors offer full domain control privileges, as well as domain admin credentials, to numerous networks worldwide," the advisory stated. "More recently, the FBI identified these actors collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments."

These threat actors have been observed collaborating closely with ransomware affiliates such as NoEscape, Ransomhouse and ALPHV to lock victim networks and extort victims.

What's more, the FBI suggested that the Iran-based cyberthreat actors are associated with the government of Iran and have been known to conduct computer network exploitation activity in support of the Iranian government. When it comes to working with affiliate ransomware actors, the groups do not typically disclose their Iran-based location and remain vague as to their nationality, the advisory noted.

The FBI has been tracking these Iranian cyberthreat actors since their first intrusion attempts against U.S. organizations in 2017, all the way to exploits as recent as August 2024. The latest advisory highlighted similar threat actor activity from a September 2020 joint advisory that focused on Iran-backed hackers such as Pioneer Kitten and UNC757 exploiting known vulnerabilities in VPN connections. The information in the newest advisory was derived from past FBI investigative activity of these groups' past intrusions against U.S. organizations.

The advisory provided technical details regarding the threat actors and their reconnaissance, initial access and credential access techniques. For example, the threat actors often obtain initial access by exploiting a public-facing networking device, such as Citrix Netscaler.

The FBI and CISA recommended that organizations prioritize patching CVE-2024-3400, CVE-2022-1388, CVE-2019-19781 and CVE-2023-3519, as these threat actors tend to target devices vulnerable to those CVEs.

Additionally, organizations should validate security controls, review logs, and check systems for unique identifiers and indicators of compromise used by threat actors. The authoring entities also recommended that organizations contact their local FBI field office if they believe they have been targeted by Iranian cyberthreat actors.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.