Iranian Hackers Threaten Critical Sectors Using Brute Force

Advisory Warns of Iranian Threat Actors

Iranian cyber actors are using brute force techniques like password spraying and multifactor authentication “push bombing” to attack global critical infrastructure sectors, according to a recent joint advisory.

The U.S. Cybersecurity and Infrastructure Security Agency published a cybersecurity advisory with the FBI, NSA and cyber authorities in Canada and Australia warning of an increasing threat posed by Iranian state-sponsored hackers. They have been targeting critical sectors with brute force and other techniques to steal credentials and information for deeper system access.

CISA assessed that Iranian threat actors “performed discovery on compromised networks to obtain additional credentials,” which they then sold “on cybercriminal forums to actors who may use the information to conduct additional malicious activity.” In multiple confirmed compromises, the threat actors exploited open registrations for MFA to register their own devices, used self-service password reset tools to reset accounts with expired passwords and registered MFA through Okta for compromised accounts that lacked MFA.

Iranian hackers have gained sophistication in recent years, carrying out a password-spraying campaign in 2023 that targeted thousands of victims across the satellite and defense sectors.

The advisory said the Iranians have been “bombarding users with mobile phone push notifications” to lure victims into approving the requests or stopping the notifications entirely – an attack method known as push bombing or “MFA fatigue.” Those actors then likely used open-source tools and methodologies to obtain more credentials, and in some cases downloaded and exfiltrated files related to gaining remote access to the organization and its inventory.

CISA has urged organizations to look for the following:

  • Suspicious logins with changing usernames
  • “Impossible travel,” which occurs when a user logs in from various IP addresses in vastly different geographic locations

The CISA also recommends that organizations take the following actions:

  • Disabling user accounts for departing staff
  • Implementing phishing-resistant MFA
  • Ensuring password policies align with the latest digital identity guidelines from the National Institute of Standards and Technology

NIST called for an overhaul of digital password practices in its digital identity guidelines published in September. The guidance recommended organizations implement longer and more randomized passwords than ever before, while only forcing users to change logins when there is evidence of a compromise.

If you have questions about how this threat could affect your organization and what steps you should take to prepare, call ITPAC today.