| Recurring |
one_organization, multiple_organization |
(a) The software failure incident having happened again at one_organization:
- The article mentions that an Iranian-aligned hacking group, Phosphorous, targeted an unnamed US municipality and a US-based hospital specializing in healthcare for children [121090].
- Phosphorous exploited vulnerabilities in Microsoft Exchange and Fortinet's FortiOS to gain initial access to systems and deploy ransomware [121090].
- Microsoft reported that Phosphorous is increasingly using ransomware to generate revenue or disrupt adversaries, and they have observed the group deploying ransomware to achieve their strategic objectives [121090].
(b) The software failure incident having happened again at multiple_organization:
- The article states that the Iranian government-sponsored APT actors are actively targeting a broad range of victims across multiple US critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector, as well as Australian organizations [121090].
- The Iranian-aligned group, Phosphorous, targeted Fortinet servers in the US, Europe, and Israel, exploiting vulnerabilities in FortiOS systems [121090].
- Phosphorous shifted to scanning for on-premises Exchange Servers vulnerable to specific flaws, known as ProxyShell, affecting organizations globally [121090]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be attributed to the exploitation of known vulnerabilities in enterprise products from Microsoft and Fortinet. The hackers exploited vulnerabilities in Microsoft Exchange and Fortinet’s FortiOS, which were identified and patched, but not everyone had installed the updates, leading to successful attacks [121090].
(b) The software failure incident related to the operation phase occurred due to the hackers exploiting the vulnerabilities in Microsoft Exchange and Fortinet’s FortiOS to gain initial access to systems. The hackers then initiated follow-on operations, including deploying ransomware, indicating a failure in the operation and security measures of the systems [121090]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident reported in the articles is primarily due to vulnerabilities within the Microsoft Exchange and Fortinet's FortiOS products. These vulnerabilities were exploited by Iranian government hackers to gain initial access to systems and deploy ransomware. The identified vulnerabilities had been patched, but not all users had installed the updates, leading to the exploitation [121090]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in this case is primarily attributed to non-human actions, specifically the exploitation of known vulnerabilities in enterprise products from Microsoft and Fortinet by Iranian government hackers [121090]. These vulnerabilities were identified and patched, but not all users had installed the updates, leading to the hackers being able to gain initial access to systems and deploy ransomware. The hackers exploited vulnerabilities in Microsoft Exchange and Fortinet's FortiOS, indicating that the failure was due to factors introduced without human participation, such as the presence of these vulnerabilities in the software systems.
(b) Human actions also played a role in this software failure incident. For example, the hackers created new user accounts on compromised networks, mimicking existing accounts with usernames like "elie" and "WADGUtilityAccount" [121090]. Additionally, the hackers targeted specific organizations, such as a US municipality and a US-based hospital specializing in healthcare for children, indicating a deliberate choice in their actions. Furthermore, the hackers deployed ransomware and demanded payment for decryption keys, showcasing intentional human actions in causing the software failure incident. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident occurring due to hardware:
- The incident reported in the articles is not directly attributed to hardware failures but rather to vulnerabilities in enterprise software products from Microsoft and Fortinet [121090].
(b) The software failure incident occurring due to software:
- The software failure incident reported in the articles is primarily due to vulnerabilities in software products from Microsoft and Fortinet, which were exploited by Iranian government hackers to gain access to systems and deploy ransomware [121090]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the articles is malicious in nature. The incident involves Iranian government hackers exploiting known vulnerabilities in enterprise products from Microsoft and Fortinet to target critical infrastructure sectors in the US, UK, and Australia [121090]. The hackers are part of an advanced-persistent-threat hacking group aligned with the Iranian government, actively targeting various organizations for follow-on operations such as data exfiltration, ransomware deployment, and extortion. The hackers have been observed exploiting vulnerabilities in Microsoft Exchange and Fortinet's FortiOS to gain initial access to systems and carry out their malicious activities [121090]. Additionally, the hackers have created new user accounts on compromised networks, mimicking existing accounts to maintain access and further infiltrate the systems [121090].
(b) The software failure incident is non-malicious in the sense that the vulnerabilities exploited by the hackers were not intentionally introduced by the software developers or system administrators. The identified vulnerabilities in Microsoft Exchange and Fortinet's FortiOS had been patched, but not all users had installed the updates, leaving systems vulnerable to exploitation [121090]. The incident highlights the importance of timely patching and updating software to prevent malicious actors from taking advantage of known vulnerabilities. |
| Intent (Poor/Accidental Decisions) |
poor_decisions |
(a) The intent of the software failure incident:
- The software failure incident described in the articles is primarily due to poor decisions made by the Iranian government-sponsored APT actors aligned with the Iranian government. These actors are actively exploiting known vulnerabilities in enterprise products from Microsoft and Fortinet to target critical infrastructure sectors in the US, UK, and Australia [121090].
- The hackers are exploiting vulnerabilities in Microsoft Exchange and Fortinet’s FortiOS, even though patches for these vulnerabilities have been available. The failure to install these updates by some users has allowed the hackers to gain initial access to systems and carry out follow-on operations, including deploying ransomware [121090].
- The hackers have been observed creating new user accounts on compromised networks, some of which mimic existing accounts to avoid detection. This indicates a deliberate and strategic approach by the hackers to maintain access and carry out malicious activities within the compromised systems [121090]. |
| Capability (Incompetence/Accidental) |
accidental |
(a) The software failure incident reported in the articles is not related to development incompetence. It is primarily about Iranian government hackers exploiting known vulnerabilities in enterprise products from Microsoft and Fortinet to target critical infrastructure sectors in the US and Australia [121090].
(b) The software failure incident reported in the articles is related to accidental factors, such as the exploitation of vulnerabilities in Microsoft Exchange and Fortinet's FortiOS by Iranian government-sponsored APT actors. These actors are targeting various sectors and organizations, exploiting known vulnerabilities rather than targeting specific sectors, and initiating follow-on operations like deploying ransomware [121090]. |
| Duration |
temporary |
The software failure incident described in the articles is temporary. The incident involves Iranian government hackers exploiting vulnerabilities in enterprise products from Microsoft and Fortinet to gain access to systems and initiate follow-on operations, including deploying ransomware [121090]. The vulnerabilities have been patched, but not everyone has installed the updates, leading to the temporary failure caused by the exploitation of these known vulnerabilities. |
| Behaviour |
crash, value, other |
(a) crash: The software failure incident described in the articles can be attributed to a crash. The hackers exploited vulnerabilities in Microsoft Exchange and Fortinet's FortiOS to gain initial access to systems, followed by deploying ransomware and initiating follow-on operations [121090].
(b) omission: There is no specific mention of the software failure incident being due to the system omitting to perform its intended functions at an instance(s).
(c) timing: The failure is not related to the system performing its intended functions correctly but too late or too early.
(d) value: The software failure incident is related to the system performing its intended functions incorrectly, as the hackers exploited vulnerabilities to gain unauthorized access and deploy ransomware [121090].
(e) byzantine: The behavior of the software failure incident does not align with the definition of a byzantine failure.
(f) other: The other behavior observed in this software failure incident is unauthorized access and deployment of ransomware by exploiting known vulnerabilities in Microsoft Exchange and Fortinet's FortiOS [121090]. |