A recent cybersecurity advisory issued by CISA, FBI, NSA, and international partners has revealed alarming details about Iranian hackers targeting critical infrastructure organizations. These threat actors have been gaining unauthorized access to various sectors including healthcare, government, IT, engineering, and energy by employing brute force tactics and other sophisticated methods.
The attackers, as per the advisory, have been using password spraying techniques to exploit common password combinations across multiple accounts and gain initial access to networks. Additionally, they have been utilizing valid email accounts obtained through brute force to infiltrate Microsoft 365, Azure, and Citrix systems. In some cases, the hackers have exploited vulnerabilities in multi-factor authentication (MFA) by bombarding users with login requests, a technique known as “MFA fatigue” or “push bombing”.
Furthermore, the Iranian actors have demonstrated their capability to maintain persistent access within the network. They register their own devices with MFA using compromised accounts to retain access even if the legitimate user changes their password. They also leverage Remote Desktop Protocol (RDP) to move laterally within the network, escalating privileges and accessing additional resources.
To steal additional credentials within the network, the attackers use various methods including harvesting credentials with open-source tools and exploiting vulnerabilities to access Active Directory information. They also attempt to escalate privileges, potentially granting them higher levels of control within the system, which could lead to manipulation or disruption of critical systems.
The threat actors have been adopting a technique known as “Living off the Land” (LOTL) where they use legitimate system tools and techniques to gather information about the network and identify valuable targets. By leveraging Windows command-line tools and specific queries to search Active Directory, they can evade detection and appear as legitimate users.
Avishai Avivi, CISO at SafeBreach, warns about the abuse of “MFA Exhaustion” and emphasizes the importance of verifying MFA prompts to prevent malicious actors from exploiting MFA fatigue. He suggests that users should always confirm the initiation of MFA sessions to protect personal and work accounts.
The primary goal of this campaign by Iranian hackers is believed to be credential theft and information gathering. Once they gain access, they can steal user credentials, internal network information, and potentially download files for further malicious activities like data exfiltration or selling information on cybercriminal forums.
To protect against these advanced threats, the advisory recommends critical infrastructure organizations to implement strong password policies, enforce multi-factor authentication (MFA) for all user accounts, and regularly review MFA settings to prevent vulnerabilities. By staying vigilant and implementing effective security measures, organizations can safeguard against Iranian hackers targeting critical infrastructure organizations.