Iranian Actors Hit Critical Infrastructure Firms With Brute Force Attacks

A new advisory on Wednesday by the U.S. and other countries warned network defenders that Iranian threat actors are using brute force attacks to target multiple critical U.S. infrastructure sectors. The advisory, which released TTPs and IoCs obtained from FBI investigations, said that the threat actors are using the compromises to obtain credentials and victim network information that they are then selling to enable access for other cybercriminals. 

Key Details:

• Since October 2023, Iranian actors have used brute force attacks, using automated tools and username and passwords combinations to try to guess login credentials; password spraying attacks, where they attempt to use the same passwords on many different accounts; and MFA push bombing attacks, where targets are spammed with MFA prompts until they press accept

• Post compromise, attackers would identify additional credentials and types of access points. For example, in a couple of incidents, CISA observed actors downloading files that were related to gaining remote access to organizations

• In two attacks, the attackers were also observed modifying users’ open MFA registration for persistence

• Iranian threat actors have targeted many different U.S. critical infrastructure industries, including the healthcare, government, information technology, engineering, and energy sectors

The Big Picture: Reports of Iran-affiliated threat actors targeting U.S. industrial control systems have popped up over the past year. In November 2023, Iranian government Islamic Revolutionary Guard Corps-affiliated threat actors, operating under CyberAv3ngers, targeted Unitronics Series ICS programmable logic controllers in multiple U.S. water and wastewater systems to deface device touchscreens, for instance. Many of these critical services still rely on outdated software and poor password security or default credentials, making them lucrative targets for these types of attacks. 

Next Steps: CISA and the other agencies behind today’s advisory, including the FBI, NSA, Communications Establishment Canada, Australian Federal Police and Australian Signals Directorate’s Australian Cyber Security Center, said “at a minimum, organizations should ensure all accounts use strong passwords and register a second form of authentication.”

The advisory also highlighted various other mitigations: Organizations should evaluate IT helpdesk password management policies, disable user accounts and access for departing staff, and implement and continually review MFA policies.