The FBI, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and Australian authorities released a joint cybersecurity advisory about Iranian cyber actors targeting critical infrastructure organizations, including healthcare. The agencies have observed these cyberthreat actors using brute force and other tactics to obtain credentials, sell access to other cybercriminals and ultimately compromise critical infrastructure entities.
The advisory is the second alert on the topic of Iran-based cyberthreat actors in recent months. A September 2024 advisory by CISA, the FBI and the Department of Defense Cyber Crime Center highlighted known Iran-based cyberthreat actors, such as Pioneer Kitten, UNC757 and Lemon Sandstorm. The agencies had observed these groups exploiting organizations in the education, healthcare, defense and finance sectors.
The October 2024 advisory specifically focused on Iranian cyberthreat actors using brute force, such as multifactor authentication (MFA) "push bombing" to overwhelm users and compromise accounts, as well as password spraying, where a hacker uses one password to attempt to break into other accounts.
"The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access," the advisory stated.
"The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity."
The cyberthreat actors gain initial access to Microsoft 365, Azure and Citrix systems via brute force. Once inside, they typically register their own devices with MFA to protect access to the environment. The agencies also noted instances of cyberthreat actors using Remote Desktop Protocol for lateral movement, exploiting privilege escalation vulnerabilities and using living-off-the-land tactics to gain knowledge of systems.
Detecting brute force activity can be difficult, but CISA and the other agencies recommended that organizations review authentication logs for login failures of valid accounts. What's more, organizations can look for suspicious logins with IP addresses that do not align with the user's expected location.
In addition to monitoring logs closely, the agencies suggested that organizations review IT helpdesk password management policies, enable phishing-resistant MFA, and regularly review MFA settings to ensure that all sensitive areas of the business are protected by MFA.
As the threat landscape continues to evolve, this advisory and others show that cyberthreat actors are still using basic brute force attack methods to infiltrate systems and disrupt critical infrastructure.