Iranian Hackers Using Brute Force on Critical Infrastructure

Iranian cyber actors are increasingly using brute force techniques – such as password spraying and multifactor authentication “push bombing” – to attack global critical infrastructure sectors, according to a joint advisory on Wednesday.

See Also: Live Webinar | Endpoint Security: Defending Today’s Workforce Against Cyber Threats

The U.S. Cybersecurity and Infrastructure Security Agency published a cybersecurity advisory with the FBI, National Security Agency and cyber authorities in Canada and Australia warning of the growing threat posed by Iranian state-sponsored cyber actors. The advisory warned that Iranian threat actors have been targeting healthcare, government, IT, engineering and energy sectors with brute force and other techniques to steal credentials and gather information for deeper system access.

CISA assessed that Iranian threat actors “performed discovery on the compromised networks to obtain additional credentials,” which they then sold “on cybercriminal forums to actors who may use the information to conduct additional malicious activity,” the advisory said. In multiple confirmed compromises, the threat actors exploited open registrations for MFA to register their own devices, used self-service password reset tools to reset accounts with expired passwords and registered MFA through Okta for compromised accounts that lacked MFA.

Iranian hackers have gained sophistication in recent years, carrying out a password-spraying campaign in 2023 that targeted thousands of victims across the satellite and defense sectors. The United States has also indicted and sanctioned several Iranian hackers for allegedly stealing campaign materials belonging to former President Donald Trump and attempting to interfere in the 2024 presidential election (see: Iranian Hackers Indicted for Cyberattacks on Trump Campaign).

The advisory said Iranian threat actors have been observed “bombarding users with mobile phone push notifications” to lure victims into approving the requests or stopping the notifications entirely – an attack method known as push bombing or “MFA fatigue.” Those actors then likely used open-source tools and methodologies to obtain more credentials, and in some cases downloaded and exfiltrated files related to gaining remote access to the organization and its inventory, according to the advisory.

CISA urged organizations to look for suspicious logins with changing usernames and “impossible travel,” which occurs when a user logs in from various IP addresses in vastly different geographic locations. CISA also recommends disabling user accounts for departing staff, implementing phishing-resistant MFA and ensuring password policies align with the latest digital identity guidelines from the National Institute of Standards and Technology.

NIST called for an overhaul of digital password practices in the second public draft of its digital identity guidelines published in September. The guidance recommended organizations implement longer and more randomized passwords than ever before, while forcing users to change login information only when there is evidence of a compromise of the authenticator (see: NIST Calls for Major Overhaul in Typical Password Practices).