Iranian cyber actors are targeting organizations across critical infrastructure sectors, using brute force techniques to obtain user credentials and sell sensitive information on cybercriminal forums. The attacks have affected healthcare, government, information technology, engineering, and energy sectors.
This was announced in a coordinated alert by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Communications Security Establishment Canada (CSE), Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).
Attack Patterns and Techniques
Since October 2023, Iranian threat actors have been leveraging brute force attacks, such as password spraying, and manipulating multifactor authentication (MFA) systems through “push bombing” tactics. By bombarding users with MFA requests, attackers trick them into granting access.
Once access is gained, attackers persist by modifying MFA settings and performing network discovery to collect additional credentials and information. This compromised data is then sold, facilitating further malicious activities by cybercriminals.
Methods of Compromise
The advisory details various tactics employed by the attackers. For initial access, the actors often use compromised accounts to infiltrate platforms like Microsoft 365, Azure, and Citrix. They exploit MFA vulnerabilities, including registering their own devices on compromised accounts, to maintain persistent access.
The advisory notes that some attackers also use self-service password reset (SSPR) tools to reset expired passwords, enabling MFA enrollment under their control.
The malefactors also use virtual private networks (VPNs) to mask their activity, complicating detection. Threat actors gather credentials and manipulate network resources by using tools like Remote Desktop Protocol (RDP) for lateral movement and employing methods like Kerberos Service Principal Name (SPN) enumeration. In one incident, the actors leveraged a Microsoft Netlogon vulnerability (CVE-2020-1472) to escalate privileges within a targeted network.
Recommended Mitigations
To counteract these attacks, agencies advise implementing various cybersecurity measures:
- Strengthen Password Policies: Use strong, unique passwords, avoid common passwords, and enforce password reset policies.
- Implement Phishing-Resistant MFA: Employ MFA solutions resistant to phishing techniques, like push notifications.
- Monitor for Suspicious Activity: Regularly review login attempts and look for anomalies such as “impossible travel,” – where logins are detected from geographically distant locations in an unrealistic timeframe.
- Secure Access for Departing Employees: To prevent unauthorized access, disable accounts and access points for employees who leave the organization.
- Cybersecurity Training: Train users on recognizing suspicious login attempts and encourage them to deny unexpected MFA requests.
These steps align with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs), a subset of cybersecurity practices that offer high-impact security outcomes, especially for small- and medium-sized entities.
Strengthening Software Security
The advisory emphasizes the importance of “secure by design” principles for software developers. By integrating security-focused features, software manufacturers can help mitigate risks associated with compromised credentials. For further guidance, organizations are encouraged to review resources like CISA’s Secure by Design webpage.
Threat Detection and Response
Organizations should regularly test and validate their security controls against tactics described in the MITRE ATT&CK framework, which details the Iranian actors’ methodologies. Reviewing authentication logs, monitoring for unusual patterns, and validating the effectiveness of MFA settings are essential for the early detection of such cyber threats.
As threats to critical infrastructure evolve, the collective efforts of global agencies highlight the importance of proactive cybersecurity measures to mitigate the risks posed by state-sponsored threat actors.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.