Iranian Cyberattacks on Critical Infrastructure
Since October 2023, Iranian cyber actors have unleashed a wave of attacks targeting various critical infrastructure sectors. These attacks are characterized by a variety of sophisticated tactics aimed at compromising user accounts. Among the primary methods used are brute force and password spraying techniques, which focus on overwhelming security systems to gain unauthorized access.
MFA Vulnerabilities and Sector-Specific Targeting
A particularly vexing method used by these cyber attackers is the Multi-Factor Authentication (MFA) prompt bombing, also referred to as MFA fatigue. This tactic inundates users with repeated MFA prompts, ultimately aiming to manipulate them into granting unauthorized access. The wide-ranging attacks affect organizations within healthcare, government, information technology, engineering, and energy sectors.
The attackers' initial access methods often involve the use of valid user and group email accounts. These accounts can be obtained through brute force techniques or other unspecified methods, providing a foothold into systems such as Microsoft 365, Azure, and Citrix.
Persistent Access and Tool Exploitation
Once access is gained, attackers take steps to modify MFA registrations, ensuring persistent access to the compromised systems. Additionally, they engage in network discovery to pilfer further credentials and additional sensitive information, bolstering their grip on the targeted network.
The reliance on open-source and Living-off-the-Land (LotL) tools is notable in this context. These tools aid in reconnaissance and credential harvesting, allowing attackers to exploit system vulnerabilities effectively—such as the infamous CVE-2020-1472 (ZeroLogon)—to escalate privileges and impersonate domain controllers.
Lateral Movement and Network Selling
Remote Desktop Protocol (RDP) is frequently used for lateral movement, enabling attackers to navigate within compromised networks. Furthermore, the use of Virtual Private Network (VPN) services is common, with several IP addresses linked to the Private Internet Access VPN service, which cloaks their activities.
The outcome of these cyber intrusions often extends beyond initial breaches. Compromised credentials and network access information are sold on cybercriminal forums, leading to subsequent malicious activities including ransomware attacks and data breaches. This represents a significant threat to organizational integrity and data security.
Recommended Mitigations and Defensive Measures
In response to these ongoing threats, organizations are strongly advised to implement various defensive measures. Reviewing authentication logs regularly, instituting strong password policies, and adopting phishing-resistant MFA can aid in safeguarding against these attacks. Additionally, cybersecurity training for users and validating security programs against the MITRE ATT&CK framework are critical steps towards reinforcing organizational defense protocols.