Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. have issued a warning about a year-long campaign by Iranian cyber actors aimed at infiltrating critical infrastructure organizations using brute-force attacks. The campaign, ongoing since October 2023, has primarily targeted the healthcare and public health (HPH) sector, government, information technology, engineering, and energy sectors.
Key Points from the Joint Advisory:
Agencies Involved: The Australian Federal Police (AFP), the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), Communications Security Establishment Canada (CSE), the U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) jointly issued the advisory.
Tactics Used: The Iranian threat actors employed brute force and password spraying techniques to compromise user accounts. They also utilized a tactic known as multi-factor authentication (MFA) prompt bombing to manipulate users into unintentionally approving access requests.
MFA Prompt Bombing: This method, also called *MFA fatigue*, involves flooding a user with push notifications until they approve a request out of frustration or confusion. Experts recommend phishing-resistant MFA or number matching as effective defenses against such attacks.
Living-off-the-Land (LotL) Techniques: After gaining initial access, the attackers conducted extensive reconnaissance using built-in tools to avoid detection. They escalated privileges via vulnerabilities like CVE-2020-1472 (aka Zerologon) and moved laterally within networks using Remote Desktop Protocol (RDP).
Use of msedge.exe: The attackers also used *msedge.exe* to establish connections to *Cobalt Strike* command-and-control (C2) infrastructure, which is a common tactic to communicate with their malicious networks.
Objectives and Consequences:
– The primary goal of these attacks appears to be credential theft and data collection about the victim’s network infrastructure. This information is then sold on cybercriminal forums to facilitate further malicious activities by other threat actors.
– These tactics highlight a broader trend where nation-state hacking groups collaborate with cybercriminals to achieve their geopolitical and financial objectives. This trend involves outsourcing parts of their operations and sharing tools like infostealers and command-and-control frameworks.
Active Directory and Geopolitical Implications:
– The advisory follows recent guidance from the *Five Eyes* intelligence alliance regarding the common techniques used by threat actors to compromise Active Directory—a widely used authentication system in enterprise networks.
– Microsoft, in its *Digital Defense Report 2024*, noted that nation-state threat actors are increasingly motivated by financial gain and have started working with cybercriminal groups to collect intelligence, often leveraging the same tools used by the broader cybercrime community.
Collaboration in the Threat Landscape:
– The shift in the threat landscape shows a clear collaboration between nation-state hackers and cybercriminals, which is becoming a strategic approach to maximize the impact of cyber operations.
– These actors are conducting financial and intelligence-gathering operations that target not just private organizations but also government entities, further escalating the cyber threat landscape.
This advisory underlines the critical need for organizations, especially in the healthcare, government, and energy sectors, to adopt robust security practices, including advanced authentication methods and constant monitoring for suspicious activities to counter these evolving cyber threats.