Iranian Threat Actors Target Critical Infrastructure Organizations with Brute Forcing

• CISA, the FBI, and more contributed to a cybersecurity advisory that warns of Iranian hackers that attack critical infrastructure organizations.
• The attackers target healthcare, government, IT, energy, and engineering sectors with brute forcing and credential access techniques.
• Worries regarding state-sponsored Iranian hackers are continuously growing as the cybercriminals are relentless.

A joint Cybersecurity Advisory warns of Iranian cyber actors employing brute force and credential access techniques to compromise organizations across multiple critical infrastructure sectors, such as healthcare and public health (HPH), government, information technology, engineering, and energy.

The advisory comes from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC).

The targeted sectors include healthcare and public health (HPH), government, information technology, engineering, and energy. The state-sponsored Iranian actors aim to acquire credentials and network information, subsequently selling them on cybercriminal forums.

These tactics have been active since October 2023, with the attackers employing methods like password spraying and multifactor authentication (MFA) ‘push bombing' to breach user accounts.

After gaining initial access, the attackers modify MFA registrations to maintain persistent access. They conduct reconnaissance operations to gather victim identity information, facilitating further network infiltration.

Among the key techniques leveraged in these attacks are brute force attacks, such as password spraying and MFA fatigue or push bombing, sending repeated MFA requests to legitimate users.

Remote Desktop Protocol (RDP) was used for lateral movement, with the hackers exploiting Microsoft 365, Azure, and Citrix systems.

Critical infrastructure organizations are urged to implement measures such as strong passwords for all accounts, registering a second form of authentication, and monitoring for suspicious activities, including unauthorized MFA changes and unexpected network traffic. Moreover, limiting and monitoring the use of VPN services that can obscure malicious activity is also advised.

This month, CISA and the FBI’s joint effort to bolster the security of U.S. democratic institutions resulted in the release of a crucial fact sheet that details the ongoing threats from cyber actors linked to Iran's Islamic Revolutionary Guard Corps (IRGC) and provides actionable steps to mitigate their impact.