• Posted by: Michael Johnson
• October 18, 2024

Iranian Cyber Actors Target Critical Infrastructure Sectors in Year-Long Campaign

Cybersecurity and intelligence agencies from Australia, Canada, and the United States have issued a joint advisory warning about a year-long cyber campaign conducted by Iranian threat actors aimed at infiltrating critical infrastructure sectors. Since October 2023, these actors have employed tactics such as brute-force attacks and password spraying to compromise user accounts in various industries, including healthcare, government, information technology, engineering, and energy.

The campaign, which has been ongoing for over a year, has been observed by agencies such as the Australian Federal Police (AFP), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), the Communications Security Establishment Canada (CSE), the U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA).

In addition to brute-force and password spraying, Iranian actors have employed a technique known as MFA prompt bombing or MFA fatigue to gain unauthorized access to target networks. Ray Carney, director of research at Tenable, explains that push bombing involves overwhelming a user with multi-factor authentication (MFA) push notifications, manipulating them into approving the request out of frustration or confusion.

To counter such attacks, phishing-resistant MFA is recommended as the most effective defense. For those unable to implement this option, number matching—which requires users to input a time-specific code from an approved identity system—serves as a viable backup, with many identity systems offering this feature as a secondary option.

Attack Objectives and Methods

The ultimate aim of these attacks is to obtain credentials and network information that can be sold to other cybercriminals, facilitating broader unauthorized access. Once initial access is achieved, attackers conduct reconnaissance on the compromised systems, often using living-off-the-land (LotL) tools that are already present in the victim's environment. Additionally, the attackers escalate privileges using known vulnerabilities like CVE-2020-1472 (also known as Zerologon) and perform lateral movement via Remote Desktop Protocol (RDP).

The threat actors have also been observed using msedge.exe to establish outbound connections to Cobalt Strike command-and-control (C2) infrastructure. By registering their own devices with MFA, they ensure persistent access to the victim's network, even after initial detection efforts.

Selling Network Access

Once the attackers have gathered credentials and network details, they often sell this information on cybercriminal forums, enabling other malicious actors to carry out additional attacks. According to the advisory, the use of msedge.exe for C2 connections is just one of many tactics deployed to maintain and extend access.

This alert follows a Five Eyes advisory on common techniques used to compromise Active Directory (AD), which remains a primary target for nation-state and cybercriminal operations. Active Directory is widely used for authentication and authorization across enterprise IT networks, making it a valuable target for attackers looking to escalate privileges and gain access to sensitive user information.

Shifting Threat Landscape

Recent trends reveal increasing collaboration between nation-state hacking groups and cybercriminals, as geopolitical and financial motivations align. According to Microsoft's Digital Defense Report for 2024, nation-state actors are increasingly outsourcing parts of their operations to cybercriminal groups, utilizing commodity malware, infostealers, and other tools commonly used by cybercriminals. This collaboration allows them to achieve their goals more efficiently, whether for intelligence gathering or financial gain.

"Nation-state threat actors are now conducting operations for financial gain and enlisting the aid of cybercriminals to collect intelligence, including on the Ukrainian military," the report noted, emphasizing the convergence between state-sponsored and cybercriminal operations.

The year-long campaign by Iranian cyber actors highlights the growing threat to critical infrastructure sectors globally. Organizations in healthcare, government, IT, engineering, and energy should remain vigilant, implementing strong MFA defenses, patching known vulnerabilities like Zerologon, and continuously monitoring network activity to prevent unauthorized access.