Over the past two years, Iranian state-sponsored cyber actors have persistently infiltrated critical infrastructure sectors worldwide, maintaining prolonged access to sensitive systems. This sustained campaign has targeted industries such as healthcare, government, information technology, engineering, and energy, raising significant concerns about global cybersecurity.
Tactics and Techniques
Since October 2023, these Iranian cyber actors have employed various methods to gain unauthorized access to critical infrastructure organizations. Notably, they have utilized brute-force attacks, including password spraying and multifactor authentication (MFA) ‘push bombing,’ to compromise user accounts. Password spraying involves attempting common passwords across multiple accounts, while MFA push bombing inundates users with authentication requests, coercing them into approving access. Once initial access is achieved, the attackers conduct thorough reconnaissance to gather credentials and network information, facilitating further exploitation. They often modify MFA registrations to maintain persistent access, register new devices, and add MFA methods to accounts lacking two-factor authentication. Additionally, they exploit vulnerabilities such as the Netlogon Privilege Escalation (CVE-2020-1472), known as Zerologon, to escalate privileges within the network.
Targeted Sectors and Global Impact
The sectors most affected by these cyber intrusions include healthcare, government, information technology, engineering, and energy. Organizations within these industries have reported unauthorized access, data breaches, and operational disruptions. The global reach of these attacks underscores the extensive capabilities of Iranian cyber actors and highlights the vulnerabilities present in critical infrastructure systems worldwide.
Monetization of Access
Beyond direct exploitation, Iranian hackers have been identified as initial access brokers, selling access to compromised networks on cybercriminal forums. This practice enables other threat actors to conduct additional malicious activities, such as deploying ransomware or stealing sensitive data. The sale of access to critical infrastructure networks poses significant risks, as it can lead to widespread disruptions and financial losses.
Recommendations for Mitigation
In response to these threats, cybersecurity agencies from the United States, Canada, and Australia have issued joint advisories outlining recommended mitigations:
– Implement Strong Password Policies: Enforce the use of complex passwords and avoid common or default credentials.
– Enable Phishing-Resistant MFA: Utilize MFA methods that are resistant to phishing attacks, such as hardware tokens or biometric verification.
– Monitor for Suspicious Activity: Regularly review authentication logs for signs of brute-force attempts, unusual login patterns, and unauthorized MFA changes.
– Conduct Regular Security Training: Educate employees on recognizing phishing attempts, managing MFA requests, and maintaining good cybersecurity hygiene.
– Patch Known Vulnerabilities: Promptly apply security updates to address known vulnerabilities, such as Zerologon, to prevent exploitation.
By adopting these measures, organizations can enhance their defenses against persistent cyber threats and protect critical infrastructure from unauthorized access and potential disruptions.
