Iranian Cyber Actors Target Critical Infrastructure in Year-Long Campaign

Cybersecurity agencies from the United States Australia and Canada have issued a stark warning regarding a sustained campaign by Iranian cyber actors aimed at infiltrating critical infrastructure organizations. This year-long campaign has utilized brute-force attacks and password spraying techniques to compromise user accounts across several key sectors including healthcare government information technology engineering and energy.

Since October 2023 Iranian cyber operatives have targeted various sectors employing tactics such as brute-force attacks which involve systematically attempting multiple password combinations to gain unauthorized access. The joint advisory released by agencies including the Australian Federal Police the Australian Cyber Security Centre the U.S. Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency highlights that these attacks primarily focus on healthcare public health government and energy sectors.

An additional tactic noted in the advisory is the manipulation of multi-factor authentication systems through what is referred to as MFA prompt bombing. This technique involves flooding a user with multiple MFA push notifications in an attempt to annoy or confuse them into approving unauthorized access. Experts suggest that the best way to counteract this tactic is through the implementation of phishing-resistant MFA or by using number matching which requires users to enter a specific code generated by the identity system.

The primary objective of these cyberattacks is to obtain user credentials and sensitive information regarding the targeted networks which can then be sold to other cybercriminals. Once initial access is achieved the attackers conduct thorough reconnaissance on the compromised systems using living-off-the-land tools to gather additional credentials and escalate their access through known vulnerabilities such as CVE-2020-1472 commonly known as Zerologon.

These actors also employ lateral movement techniques using Remote Desktop Protocol and have been found to register their devices with MFA to maintain persistent access. Some operations have included utilizing msedge.exe to establish outbound connections to command-and-control servers associated with Cobalt Strike a tool often used for post-exploitation.

The alarming trend highlighted in this advisory reflects a broader shift in the cybersecurity landscape where nation-state hacking groups are increasingly collaborating with cybercriminal organizations. Microsoft has indicated that these nation-state actors are engaging in operations for financial gain while enlisting the help of cybercriminals to gather intelligence and conduct malicious activities.

This latest alert comes on the heels of previous guidance from Five Eyes intelligence agencies which outlined common techniques used by threat actors to compromise Active Directory a widely used authentication system in enterprise networks. Malicious actors routinely target Active Directory to escalate privileges and access highly confidential user data.

As the cybersecurity environment continues to evolve it is crucial for organizations to remain vigilant and adopt robust security measures to protect against these sophisticated attacks.