Oct 18, 2024
Ravie Lakshmanan
Cyber Intelligence / Critical Infrastructure
Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. have raised an alarm over a year-long campaign orchestrated by Iranian cyber operatives to breach critical infrastructure organizations using brute-force attacks.
According to a joint advisory issued by these agencies, Iranian actors have been exploiting brute force and password spraying techniques since October 2023 to compromise user accounts and gain unauthorized access to entities in the healthcare, government, information technology, engineering, and energy sectors.
The attacks have mainly focused on healthcare, government, information technology, engineering, and energy sectors, as highlighted by various agencies including the Australian Federal Police (AFP), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment Canada (CSE), the U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA).
Apart from brute force and password spraying, one of the notable tactics employed by the threat actors is multi-factor authentication (MFA) prompt bombing to penetrate targeted networks.
Ray Carney, director of research at Tenable, explained, “Push bombing involves flooding a user with MFA push notifications with the intention of manipulating the user into approving the request either unintentionally or out of annoyance. This tactic, also known as MFA fatigue, can be mitigated by implementing phishing-resistant MFA or utilizing number matching for additional security.”
The ultimate objective of these attacks is to acquire credentials and data outlining the victim’s network, which can then be sold to facilitate access for other cybercriminals. The threat actor’s modus operandi involves extensive reconnaissance, privilege escalation, and lateral movement to maintain persistence within the compromised infrastructure.
The attacks have been observed to leverage msedge.exe for establishing outbound connections to Cobalt Strike command-and-control (C2) infrastructure. This reconnaissance helps the actors extract additional credentials and information to sell on cybercriminal forums for further malicious endeavors.
Recently, government agencies from the Five Eyes countries issued guidelines on common techniques used by threat actors to compromise Active Directory, emphasizing the need for heightened vigilance in safeguarding enterprise IT networks.
Recapping the changing threat landscape, Microsoft highlighted the evolving trend of nation-state hacking groups collaborating with cybercriminals to advance their strategic and financial interests.
According to Microsoft’s Digital Defense Report for 2024, threat actors are increasingly resorting to employing cybercriminals and commodity malware for intelligence gathering and reconnaissance activities, reflecting a growing convergence between state-sponsored espionage and traditional cybercrime.