International security agencies have raised alarms about Iranian cyber actors compromising networks across critical infrastructure sectors.
These actors reportedly sell login access to these networks, posing significant risks to global cybersecurity.
This article delves into the methods used by these actors and the sectors affected and recommends measures for organizations to safeguard against such threats.
The Cybersecurity Advisory
The advisory was jointly released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try for Free
The document warns network defenders about Iranian cyber actors employing brute force and other techniques to infiltrate organizations within critical infrastructure sectors, including healthcare, government, information technology, engineering, and energy.
Techniques Employed by Iranian Actors
Since October 2023, Iranian cyber actors have utilized various methods to compromise organizational networks.
These include brute force attacks like password spraying, and multifactor authentication (MFA) push bombing. Once access is gained, these actors modify MFA registrations to maintain persistent access.
They conduct network discovery to obtain additional credentials and information that can be sold on cybercriminal forums, enabling other malicious actors to exploit these networks further.
Impact on Critical Infrastructure
These cyber actors target sectors crucial to national security and public safety. The healthcare and public health sectors, government entities, information technology firms, engineering companies, and energy providers are among those affected.
Compromising such networks can lead to severe consequences, including data breaches, operational disruptions, and potential threats to public safety.
Recommendations for Organizations
The advisory provides several recommendations for organizations to protect themselves against these threats. Key measures include:
- Implementing Strong Passwords: Organizations should ensure all accounts use robust passwords and register a second form of authentication.
- Monitoring Authentication Logs: Regularly reviewing logs for system and application login failures can help detect brute force activity.
- Phishing-Resistant MFA: Implementing phishing-resistant MFA is crucial to prevent unauthorized access.
- Continuous Security Testing: Organizations should exercise, test, and validate their security programs against known threat behaviors.
Detection and Mitigation Strategies
To detect potential compromises, organizations are advised to look for signs such as multiple failed authentication attempts across accounts, suspicious logins from unexpected geographic locations, and unusual user agent strings.
Additionally, monitoring for MFA registrations from unfamiliar devices or locales can help identify unauthorized access attempts.
Mitigation strategies include promptly disabling user accounts for departing staff and ensuring password policies align with the latest guidelines. Providing basic cybersecurity training to users can also enhance an organization’s overall security posture.
Iranian cyber actors’ sale of login access highlights the evolving nature of cyber threats facing critical infrastructure worldwide.
Organizations must remain vigilant and proactive in implementing robust cybersecurity measures to protect their networks from such sophisticated attacks.
By following the recommendations outlined in the advisory, they can better safeguard their systems against unauthorized access and potential exploitation by cybercriminals.
How to Choose an ultimate Managed SIEM solution for Your Security Team -> Download Free Guide(PDF)