From securityboulevard.com
The Cybersecurity and Infrastructure Security Agency (CISA), part of the US Department of Homeland Security, with input from the FBI, issued an alert on September 15, 2020 warning that an Iran-based threat actor is known to have penetrated a number of networks, and may be planning to deploy ransomware in addition to other malicious activity.
They have primarily targeted US enterprises and organizations in the IT, government, healthcare, financial, insurance and media sectors.
Using scanning tools, backdoor creators and open source tooling, including Nmap, FRPC, ngrok, and tiny web shell, this cybercrime gang identifies open ports, then exploits several known Common Vulnerabilities and Exposures (CVEs) against a range of popular VPNs to access targeted networks. CVEs that CISA and the FBI have observed the group using include: