Oct 18, 2024Ravie LakshmananCyber Intelligence / Critical Infrastructure

Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. have warned about a year-long campaign undertaken by Iranian cyber actors to infiltrate critical infrastructure organizations via brute-force attacks.

“Since October 2023, Iranian actors have used brute force and password spraying to compromise user accounts and obtain access to organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors,” the agencies said in a joint advisory.

The attacks have targeted healthcare, government, information technology, engineering, and energy sectors, per the Australian Federal Police (AFP), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment Canada (CSE), the U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA).

Another notable tactic outside of brute force and password spraying concerns the use of multi-factor authentication (MFA) prompt bombing to penetrate networks of interest.

“Push bombing is a tactic employed by threat actors that floods, or bombs, a user with MFA push notifications with the goal of manipulating the user into approving the request either unintentionally or out of annoyance,” Ray Carney, director of research at Tenable, said in a statement.

“This tactic is also referred to as MFA fatigue. Phishing-resistant MFA is the best mechanism to prevent push bombing, but if that’s not an option, number matching – requiring users to enter a time-specific code from a company approved identity system – is an acceptable back up. Many identity systems have number matching as a secondary feature.”

The end goal of these attacks is to likely obtain credentials and information describing the victim’s network that can then be sold to enable access to other cybercriminals, echoing an alert previously issued by the U.S. in August 2024.

The initial access is followed by steps to conduct extensive reconnaissance of the entity’s systems and network using living-off-the-land (LotL) tools, escalate privileges via CVE-2020-1472 (aka Zerologon), and lateral movement via RDP. The threat actor has also been found to register their own devices with MFA to maintain persistence.

The attacks, in some instances, are characterized by using msedge.exe to establish outbound connections to Cobalt Strike command-and-control (C2) infrastructure.

“The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access,” the agencies said, adding they “sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity.”

The alert comes weeks after government agencies from the Five Eyes countries published guidance on the common techniques that threat actors use to compromise Active Directory.

“Active Directory is the most widely used authentication and authorization solution in enterprise information technology (IT) networks globally,” the agencies said. “Malicious actors routinely target Active Directory as part of efforts to compromise enterprise IT networks by escalating privileges and targeting the highest confidential user objects.”

It also follows a shift in the threat landscape wherein nation-state hacking crews are increasingly collaborating with cybercriminals, outsourcing some parts of their operations to further their geopolitical and financial motives, Microsoft said.

“Nation-state threat actors are conducting operations for financial gain and enlisting the aid of cybercriminals and commodity malware to collect intelligence,” the tech giant noted in its Digital Defense Report for 2024.

“Nation-state threat actors conduct operations for financial gain, enlist cybercriminals to collect intelligence on the Ukrainian military, and make use of the same infostealers, command-and-control frameworks, and other tools favored by the cybercriminal community.”