Cybersecurity agencies around the world are on high alert as Iranian cyber actors continue to target critical infrastructure sectors using brute force techniques to compromise user credentials. The attacks, which have impacted industries such as healthcare, government, information technology, engineering, and energy, have raised concerns about the security of sensitive information being sold on cybercriminal forums.
A coordinated alert issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Communications Security Establishment Canada (CSE), Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) highlighted the severity of the situation.
Since October 2023, Iranian threat actors have been employing brute force attacks, including password spraying and manipulation of multifactor authentication (MFA) systems through “push bombing” tactics. These tactics allow attackers to gain unauthorized access and collect additional credentials and information, which are then sold on the dark web for further exploitation by cybercriminals.
The advisory issued by the agencies detailed several methods of compromise used by the attackers, including infiltrating platforms like Microsoft 365, Azure, and Citrix using compromised accounts and exploiting MFA vulnerabilities. Additionally, the threat actors use VPNs to mask their activities, making detection more challenging for organizations.
To counteract these attacks, agencies recommend implementing cybersecurity measures such as strengthening password policies, implementing phishing-resistant MFA solutions, monitoring for suspicious activity, securing access for departing employees, and providing cybersecurity training for users. These measures align with CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) and aim to enhance the security posture of organizations, especially small- and medium-sized entities.
The advisory also highlighted the importance of software security by design, encouraging software developers to integrate security-focused features to mitigate risks associated with compromised credentials. Furthermore, organizations were advised to regularly test and validate their security controls against tactics described in the MITRE ATT&CK framework to detect and respond to threats effectively.
As cyber threats to critical infrastructure continue to evolve, the collective efforts of global agencies emphasize the need for proactive cybersecurity measures to counter the risks posed by state-sponsored threat actors. By staying vigilant and implementing recommended mitigations, organizations can better protect their systems and data from malicious cyber activities.