Iranian Hackers Use Brute Force in Critical Infrastructure Attacks – Source: www.securityweek.com

Iranian state-sponsored threat actors have been using brute force and other techniques in attacks targeting critical infrastructure organizations, government agencies in the US, Australia, and Canada warn in a joint advisory.

Since October 2023, Iranian threat groups have been observed relying on password spraying, multi-factor authentication (MFA) ‘push bombing’, and other techniques to hack into user accounts and compromise organizations, the US cybersecurity agency CISA, the FBI, the NSA, Canada’s CSE, and Australia’s AFP and ACSC say.

The attacks targeted organizations in the energy, engineering, government, healthcare and public health (HPH), and information technology sectors to obtain credentials, modify MFA registrations for persistent access, and perform network discovery to steal additional credentials and information.

“The authoring agencies assess that the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity,” reads the joint advisory (PDF), which details tactics, techniques, and procedures (TTPs), and indicators of compromise (IoCs).

Prior to gaining persistent access to the targeted networks, the threat actors likely gather information on their victims. Following initial compromise, they perform further reconnaissance to harvest credentials, escalate their privileges, discover systems on the network, and move laterally.

“The actors use valid user and group email accounts, frequently obtained via brute force such as password spraying although other times via unknown methods, to obtain initial access to Microsoft 365, Azure, and Citrix systems,” the advisory reads.

If push notification-based MFA is enabled, the attackers would bombard users with MFA notifications until they approve the request. After accessing the account, they register their devices with MFA to ensure access to the environment.

In two confirmed attacks, a user’s open registration for MFA was used to register the threat actors’ device. In another, a self-service password reset tool for a public facing Active Directory Federation Service was used to reset the accounts and then register MFA through Okta for accounts that did not have MFA.

“The actors frequently conduct their activity using a virtual private network (VPN) service. Several of the IP addresses in the actors’ malicious activity originate from exit nodes tied to the Private Internet Access VPN service,” the advisory notes.

The attackers were seen using Remote Desktop Protocol (RDP) for lateral movement, employing open source tools for reconnaissance and credential harvesting, and impersonating the domain controller, likely by exploiting the critical ZeroLogon vulnerability (CVE-2020-1472).

“In a couple instances, while logged in to victim accounts, the actors downloaded files related to gaining remote access to the organization and to the organization’s inventory, likely exfiltrating the files to further persist in the victim network or to sell the information online,” the advisory reads.

Organizations are advised to review authentication logs to identify multiple failed authentication attempts indicating brute force activity, suspicious logins, IPs used for multiple accounts, logins from multiple IPs with significant geographic distance, suspicious MFA registrations, suspicious privileged account use, unusual activity in dormant accounts, unusual user agent strings, and credential dumping attempts.

To prevent attacks, organizations should review IT helpdesk password management, avoid common passwords, disable accounts for former employees, implement phishing-resistant MFA, review MFA settings, provide cybersecurity training to users, implement strong password policies, and validate security programs against the MITRE ATT&CK for Enterprise framework.

Related: CISA Flags Critical SolarWinds Web Help Desk Bug for In-the-Wild Exploitation

Related: American Water Cyberattack Renews Focus on Protecting Critical Infrastructure

Related: In Israel, Albanian PM to Meet Cyber Chief After Iran Hack

Related: Palestinian Hackers Hit 100 Israeli Organizations in Destructive Attacks