Iranian Cyber Actors Compromise Critical Infrastructure Using Brute Force and Credential Access Tactics

Iranian cyber actors are targeting organizations across critical infrastructure sectors, using brute force techniques to obtain user credentials and sell sensitive information on cybercriminal forums. The attacks have affected healthcare, government, information technology, engineering, and energy sectors.

This was announced in a coordinated alert by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Communications Security Establishment Canada (CSE), Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).

Attack Patterns and Techniques

Since October 2023, Iranian threat actors have been leveraging brute force attacks, such as password spraying, and manipulating multifactor authentication (MFA) systems through “push bombing” tactics. By bombarding users with MFA requests, attackers trick them into granting access.

Once access is gained, attackers persist by modifying MFA settings and performing network discovery to collect additional credentials and information. This compromised data is then sold, facilitating further malicious activities by cybercriminals.

Methods of Compromise

The advisory details various tactics employed by the attackers. For initial access, the actors often use compromised accounts to infiltrate platforms like Microsoft 365, Azure, and Citrix. They exploit MFA vulnerabilities, including registering their own devices on compromised accounts, to maintain persistent access.

The advisory notes that some attackers also use self-service password reset (SSPR) tools to reset expired passwords, enabling MFA enrollment under their control.

The malefactors also use virtual private networks (VPNs) to mask their activity, complicating detection. Threat actors gather credentials and manipulate network resources by using tools like Remote Desktop Protocol (RDP) for lateral movement and employing methods like Kerberos Service Principal Name (SPN) enumeration. In one incident, the actors leveraged a Microsoft Netlogon vulnerability (CVE-2020-1472) to escalate privileges within a targeted network.

Recommended Mitigations

To counteract these attacks, agencies advise implementing various cybersecurity measures:

• Strengthen Password Policies: Use strong, unique passwords, avoid common passwords, and enforce password reset policies.
• Implement Phishing-Resistant MFA: Employ MFA solutions resistant to phishing techniques, like push notifications.
• Monitor for Suspicious Activity: Regularly review login attempts and look for anomalies such as “impossible travel,” – where logins are detected from geographically distant locations in an unrealistic timeframe.
• Secure Access for Departing Employees: To prevent unauthorized access, disable accounts and access points for employees who leave the organization.
• Cybersecurity Training: Train users on recognizing suspicious login attempts and encourage them to deny unexpected MFA requests.

These steps align with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs), a subset of cybersecurity practices that offer high-impact security outcomes, especially for small- and medium-sized entities.

Strengthening Software Security

The advisory emphasizes the importance of “secure by design” principles for software developers. By integrating security-focused features, software manufacturers can help mitigate risks associated with compromised credentials. For further guidance, organizations are encouraged to review resources like CISA’s Secure by Design webpage.

Threat Detection and Response

Organizations should regularly test and validate their security controls against tactics described in the MITRE ATT&CK framework, which details the Iranian actors’ methodologies. Reviewing authentication logs, monitoring for unusual patterns, and validating the effectiveness of MFA settings are essential for the early detection of such cyber threats.

As threats to critical infrastructure evolve, the collective efforts of global agencies highlight the importance of proactive cybersecurity measures to mitigate the risks posed by state-sponsored threat actors.