A joint cybersecurity advisory warns about Iranian hackers using brute-force attacks to compromise critical infrastructure to obtain initial access for sale to other threat actors.
“The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals,” the advisory said.
The FBI, the Cybersecurity and Infrastructure Agency (CISA), the National Security Agency (NSA), Canada’s Communications Security Establishment (CSE), the Australian Federal Police (AFP), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) jointly authored the cybersecurity advisory.
Since October 2023, the hackers have targeted various critical infrastructure entities, including healthcare and public health (HPH), government, information technology, engineering, and energy sectors.
Iranian hackers brute force critical infrastructure to obtain access
Iranian hackers brute force critical infrastructure using various tactics such as password spraying, and perform multifactor authentication (MFA) ‘push bombing’ to gain initial access.
“Sadly, password spraying remains a very viable attack method for many cybercriminals,” said Erich Kron, Security Awareness Advocate at KnowBe4. “Password spraying is simply the process of taking a known username, which is often just an email address, and pairing it with very common passwords using the tool to attempt automated logins.”
The attackers likely conduct extensive reconnaissance to identify potential targets before bombarding them with MFA requests to increase their chances of success.
By “bombarding users with mobile phone push notifications,” they hope the victims would accidentally approve the requests or disable notifications due to “MFA fatigue.”
“Push bombing is a tactic employed by threat actors that floods, or bombs, a user with MFA push notifications with the goal of manipulating the user into approving the request either unintentionally or out of annoyance,” explains Ray Carney, director of research, Tenable. “Phishing-resistant MFA is the best mechanism to prevent push bombing, but if that’s not an option, number matching – requiring users to enter a time-specific code from a company-approved identity system – is an acceptable backup. Many identity systems have number matching as a secondary feature.”
Discovery, persistence, lateral movement, and privilege escalation
The authoring agencies found that Iranian hackers also performed discovery on the host network to obtain other credentials for additional access.
In some cases, they modified MFA registrations to establish persistence, registered new devices, and added Okta MFA to accounts lacking two-factor authentication to consolidate their access.
They also used password reset tools to change expired login credentials and maintain control of the compromised accounts.
The Tehran-linked malicious actors target Microsoft 365, Azure, and Citrix systems to gain initial access and leverage Remote Desktop Protocol (RDP), Kerberos Service Principal Name (SPN), or Microsoft Active Directory for lateral movement, privilege escalation, and credential harvesting.
In one case, they leveraged unpatched Microsoft’s Netlogon Privilege Escalation vulnerability CVE-2020-1472 (Zerologon) to impersonate the domain controller for privilege escalation.
Iranian hackers act as initial access brokers
While Iranian hackers have previously targeted US critical infrastructure to disrupt operations, they now act as initial access brokers to enable other threat actors to compromise Western targets.
“The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity,” the advisory said.
However, the cybersecurity advisory did not explain if Iranian hackers utilize their initial access to conduct malicious activity on the host network before selling to other threat actors.
Nonetheless, it is not unusual for cybercriminals to monetize their initial access to compromised systems after achieving their objectives.
“With the publication of this advisory, it is clear that Iran’s cyber army is no longer interested in the ‘low and slow’ approach, but rather making a lot of noise to get ahead,” noted Gabrielle Hempel, Solutions Engineer at Exabeam.
Guidelines for protecting critical infrastructure from Iranian hackers
The joint cybersecurity advisory urges critical infrastructure operators to monitor suspicious logins such as changing usernames, unlikely geographical locations due to “impossible travel,” and unusual user agent strings and IP addresses.
System administrators should also investigate multiple account logins from the same IP address and MFA registrations from unusual locales or unfamiliar devices.
Additionally, processes or command line arguments suggesting credential dumping with access to the “ntds.dit” file could be tell-tale signs of Iranian hackers’ activity.
Critical infrastructure organizations should also conduct employee security awareness and training, and implement password policies aligning with the NIST Digital Identity Guidelines.
Similarly, disabling RC4 for Kerberos authentication, implementing phishing-resistant MFA, and reviewing MFA settings for all internet-facing protocols could also prevent Iranian hackers from gaining initial access.
“The escalating tensions globally indicate that Iran’s cyber activity could be closer to cyber warfare than just for-profit cybercrime. It would not be surprising to see the two converge in the near future,” concluded Hempel.