Iran-linked actors target critical infrastructure organizations

U.S. and allies warn of attacks from Iran-linked actors targeting critical infrastructure through brute-force attacks in a year-long campaign.

Intelligence and cybersecurity agencies from the U.S., Australia, and Canada, warn about a year-long campaign carried out by Iran-linked threat actors to break into critical infrastructure organizations via brute force and password spraying attacks.

The attacks have gone on since at least October 2023, Iran-linked threat actors attempted to hack user accounts and obtain access to organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.

“The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) are releasing this joint Cybersecurity Advisory to warn network defenders of Iranian cyber actors’ use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.” reads the joint report published by the US CISA.. “The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals.”

The Iranian hackers also relied on multi-factor authentication (MFA) prompt bombing to break into target networks.

Multi-factor authentication (MFA) prompt bombing is an attack technique where a threat actor repeatedly sends MFA push notifications to the victim’s device, such as a smartphone or computer, in an attempt to overwhelm or annoy the user into approving one of the requests.

In this scenario, the attacker typically has the victim’s username and password and initiates a login attempt that triggers an MFA request. If the victim gets bombarded with these requests, they might unintentionally or out of frustration approve one, giving the attacker access to the account.

The attackers modified MFA registrations to maintain persistent access, conducted network discovery, and obtained credentials to expand their access within compromised systems.

The attackers use valid user and group email accounts, often obtained via brute force attacks to obtain initial access to Microsoft 365, Azure, and Citrix systems.

Once Iranian threat actors gain access to an account, they register their own devices with MFA to maintain access. In confirmed cases, they exploited open MFA registration or used a password reset tool to reset passwords on compromised accounts, enabling MFA through Okta for accounts without it. They often perform these activities via a virtual private network (VPN) to mask their location.

The Iran-linked actors use Remote Desktop Protocol (RDP) for lateral movement. The government experts also observed in one instance, the attackers using Microsoft Word to open PowerShell to launch the RDP binary mstsc.exe.

Iranian actors also used, at least in one instance, msedge.exe to connect to Cobalt Strike Beacon for command and control. They exfiltrated files related to remote access and organizational inventory, likely to maintain persistence or sell the data online.

To detect brute force activity, review authentication logs for repeated login failures of valid accounts. The joint report includes recommendations to detect the use of compromised credentials in combination with virtual infrastructure.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iran-linked actors)