Cyber security and intelligence agencies in Australia, Canada and the US have warned of a year-long campaign by Iranian cyber actors to infiltrate organizations’ critical infrastructure through brute force attacks.
“Since October 2023, Iranian actors have used brute force and password cracking to compromise user accounts and gain access to health and public health (HPH), government, information technology, engineering, and energy organizations,” the agencies noted. said in joint consultation.
The attacks targeted healthcare, government, information technology, engineering and energy, according to the Australian Federal Police (AFP), the Australian Cyber Security Center (ACSC) of the Australian Signals Authority, the Canadian Communications Security Authority (CSE), the US Federal Bureau of Investigation (FBI ), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA).
Another notable tactic besides brute force and password spraying involves the use of multi-factor authentication (MFA). operational bombing to penetrate interesting networks.
“Push bombardment is a tactic used by threat actors that flood or bombard a user with MFA push messages in order to manipulate the user into approving a request, either unintentionally or out of annoyance,” Ray Carney, director of research at Tenable, said in a statement.
“This tactic is also called MFA fatigue. Phishing-resistant MFA is the best mechanism to prevent push bombing, but if that’s not an option, number matching — requiring users to enter a specific time code with a company-approved identification system — is an acceptable backup. Many identification systems have number matching as a secondary function.
The ultimate goal of these attacks is likely to obtain credentials and information describing the victim’s network, which can then be sold to provide access to other cybercriminals by repeating the warning previously issued USA in August 2024.
Initial access is followed by steps to conduct extensive reconnaissance of the organization’s systems and network using LoL (LotL) tools, privilege escalation through CVE-2020-1472 (aka Zerologon), and lateral traffic via RDP. It was also discovered that the threat actor was registering his own devices with the MFA to maintain resilience.
The attacks in some cases are characterized by the use of msedge.exe to establish outbound connections to the Cobalt Strike (C2) command and control infrastructure.
“Actors conducted discovery of compromised networks to obtain additional credentials and identify other information that could be used to obtain additional access points,” the agencies said, adding that they “sell this information on cybercriminal forums to entities that may use information to conduct additional malicious activity.”
The alert comes weeks after government agencies from the Five Eyes countries published guidance on common methods threat actors use to compromise Active Directory.
“Active Directory is the most widely used authentication and authorization solution in enterprise information technology (IT) networks worldwide,” the agencies note. said. “Attackers routinely attack Active Directory as part of efforts to breach corporate IT networks by escalating privileges and targeting the most sensitive user objects.”
It also follows a shift in the threat landscape in which nation-state hacking groups are increasingly partnering with cybercriminals, outsourcing parts of their operations to further their geopolitical and financial motives, Microsoft said.
“Nation-state threat entities conduct operations for financial gain and enlist the help of cybercriminals and commercial malware to gather intelligence,” the tech giant said. noted in its 2024 Digital Defense Report.
“Nation-state threat actors conduct operations for financial gain, engage cybercriminals to gather intelligence on the Ukrainian military, and use the same information stealers, command and control systems, and other tools favored by the cybercriminal community.”
