Iranian Threat Actor Campaign Targets Critical Infrastructure Acces

Security agencies from the United States, along with international partners, have issued a warning about an ongoing Iranian cyber campaign that targets critical infrastructure through brute-force attacks. This campaign, which has been active for over a year, aims to compromise various sectors including healthcare, government, IT, engineering, and energy.

The FBI, CISA, NSA, and cybersecurity agencies from Canada and Australia have highlighted the need for organizations to enhance their security measures by ensuring strong passwords and implementing a second form of authentication on all accounts. The threat actors behind this campaign are selling access to compromised infrastructure to cybercriminals.

The advisory follows recent reports of Iranian threat actors targeting political organizations to undermine confidence in U.S. democratic institutions. Additionally, there have been instances of these threat actors selling critical infrastructure access to ransomware groups.

The Iranian threat actors have been employing brute-force techniques like password spraying and MFA ‘push bombing’ to gain access to user accounts within organizations. They then proceed to obtain sensitive information and credentials to facilitate further access.

Among the targeted systems are Microsoft 365, Azure, and Citrix, where the threat actors exploit vulnerabilities to register their devices with MFA and gain persistent access. They also utilize VPN services, Remote Desktop Protocol, and various tools to extract credentials and information from compromised networks.

The advisory includes indicators of compromise to help organizations detect and prevent brute-force attacks, as well as specific file hashes associated with the Iranian campaign. Notably, one of the identified file hashes had gone undetected by the majority of security tools before the advisory was issued.

Security teams are urged to remain vigilant against such cyber threats and monitor their systems for any signs of malicious activity.Enhanced security measures are crucial in mitigating the risks posed by these Iranian threat actors targeting critical infrastructure.