Iranian Threat Actors Targeting Critical Infrastructure Entities Using Brute Force Tactics
Healthcare and public health (HPH) and other critical infrastructure sectors have been warned that Iranian cyber actors are using brute force tactics for initial access in targeted attacks on critical infrastructure entities in the United States. The cybersecurity advisory was issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).
Since October 2023, the authoring agencies have observed Iranian cyber actors using brute force tactics such as password spraying and multifactor authentication (MFA) push bombing to obtain credentials and information that allows them to move deep into networks, obtain additional credentials, escalate privileges, and achieve persistence. Password spraying is the use of commonly used and default passwords to attempt access to accounts and in the case of the Iranian cyber actors, Microsoft 365, Azure, and Citrix systems are targeted.
If push notification-based MFA has been enabled, the threat actors use push bombing, where users are bombarded with push notifications in the hope that they accidentally approve the request or get frustrated and approve the request to get the notifications to stop. If access is gained, the threat actors register their own devices to receive MFA requests to ensure continued access to the compromised account.
On multiple occasions, the threat actors used a compromised user’s open registration for MFA to register their own device, and in one attack they used a self-service password reset tool associated with a public-facing Active Directory Federation Service (ADFS) to reset the accounts with expired passwords, then registered MFA through Okta for the compromised accounts without MFA already enabled. They have been observed using Remote Desktop Protocol for lateral movement and living-off-the-land techniques to gather information about the targeted system and internal networks. Access to compromised networks is likely sold to cybercriminal groups.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The cybersecurity advisory includes several recommendations for detecting brute force activity. For instance, monitoring logs for ‘impossible logins’ such as IP addresses that do not align with the user’s expected geographical location, logins from multiple IP addresses where travel between locations would not be possible in the timeframe between logins, and unusual user agent strings, such as strings not typically associated with normal user activity. Another sign of potential compromise and attacks in progress is MFA registrations in unexpected locales or from unfamiliar devices, which need to be monitored closely. Processes and program execution command-line arguments indicative of credential dumping should be monitored, as well as the suspicious use of privileged accounts after a password reset, and unusual activity in dormant accounts.
The authoring agencies suggest several mitigations, including disabling unused user accounts, reviewing procedures for password resets and user lockouts, implementing phishing-resistant MFA rather than push notification-based MFA, changing all default passwords and following the latest NIST password advice, and providing basic cybersecurity training to all users, including the detection of unsuccessful login attempts, denying MFA requests that are not user-generated, and ensuring that MFA is set up appropriately.
