Yesterday, CISA published a joint advisory stating that Iranian hackers are acting as initial access brokers to gain access to critical infrastructure organizations to collect credentials and network data that can be sold on cybercriminal forums to enable cyberattacks by other threat actors.
The government agencies warn that since October 2023, Iranian actors have used brute force, such as password spraying, and MFA ‘push bombing’ or fatigue to compromise user accounts and obtain access to organizations.
Once threat actors obtain persistent access, they typically register their own devices with the organization’s MFA system, collect more credentials, escalate privileges, and learn about the breached systems and the network, allowing them to move laterally and identify other points of access and exploitation.
The agencies made numerous recommendations including but not limited to:
- Reviewing authentication logs for failed logins
- Looking for MFA registrations with MFA in unexpected locales/devices
- Checking for suspicious privileged account use after resetting passwords
- Applying user account mitigations after password resets
- Investigating unusual activity in typically dormant accounts
- Scanning for unusual user agent strings
The alert is co-authored by the FBI, NSA, the Communications Security Establishment Canada, the Australian Federal Police, and the Australian Signals Directorate’s Australian Cyber Security Centre.
Evan Dornbush, former NSA cybersecurity expert has some perspective on this:
“Google released a report noting 70% of exploited flaws disclosed in 2023 were zero-days. Mandiant released a report noting attackers have incredibly decreased the time it takes to convert a disclosed flaw into an easily-available exploit product. Microsoft released a report noting that 78% of nation state activity is against the private sector, often in the form of for-profit actions. And CISA in collaboration with the UK and Australia are noting that criminals and governments are working together, sharing tools and access.
“The essential insight here is the necessity to evolve from purely reactive posturing, and shift to take proactive measures as part of one’s applied cybersecurity strategy. The amount of money criminals can earn is getting too little attention. It is too costly to defend, and too cheap to attack, and until we can affect a paradigm shift, things will continue to escalate.”
This is another one of those documents that’s required reading if your job is to keep your organization from getting pwned. Something that is getting harder to do these days.
UPDATE: I have two more comments on this. Starting with Avishai Avivi, CISO, SafeBreach:
“The CISA alert of Iranian cyber actors’ brute force and credential access activity is a good reminder – especially during cybersecurity awareness month – that these malicious actors are working to abuse ‘Multifactor Authentication (MFA) Exhaustion.’ If, as a good cyber-aware person, you’ve enabled MFA on your social networking, WhatsApp or other messaging apps, and bank accounts, you may have grown used to getting and approving MFA requests. The malicious actors hope you won’t pay attention and approve any MFA push notification you may receive. So, as a reminder, when you are prompted to authorize a session, please take a quick second to verify that you are the one who made that request. Malicious actors are constantly testing credentials they’ve obtained through breaches. They hope that the combination of these credentials and MFA exhaustion will let them take over your account. While the CISA alert specifically mentions critical infrastructure as the target of these malicious actors, this diligence is important to prevent access to your work and personal accounts.”
Followed by James Winebrenner, Chief Executive Officer, Elisity:
“On October 16, 2024, FBI, CISA, NSA, and other global government agencies published an advisory about how Iranian cyber actors recently compromised critical infrastructure organizations using brute force attacks and MFA bombing, then performed network discovery and lateral movement. This is just one more example of a nation-state cyber attack that used lateral movement. Also in 2024, China’s Volt Typhoon group compromised IT networks of multiple critical infrastructure organizations in the U.S., using lateral movement to access operational technology assets for potential disruptive attacks. North Korean hackers targeted aerospace and defense organizations with a new ransomware variant called FakePenny, using lateral movement for intelligence gathering. A modern identity-based microsegmentation platform would detect and prevent such unauthorized lateral movement attempts, preventing attackers from accessing sensitive systems even if initial credentials are compromised. CISOs and security architects want to look for a platform that provides comprehensive asset discovery and visibility and enables identity-based policies that enforce least-privilege access across users, devices, and applications, significantly reducing the attack surface and stopping threat actors from moving laterally within the network.”
Finally Ryan Patrick, VP of Adoption, HITRUST:
“In response to the recent joint advisory issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and their international counterparts, HITRUST acknowledges the escalating threat posed by Iranian cyber actors who are actively targeting critical infrastructure sectors, including healthcare and public health (HPH).
We recognize the critical importance of safeguarding sensitive data and systems in these highly targeted industries. The advisory highlights the need for organizations across healthcare, government, energy, and information technology to reinforce their defenses against advanced tactics, including brute force credential attacks. Cybercriminals are increasingly sophisticated in their efforts to exploit vulnerabilities and sell access to compromised networks, putting critical infrastructure at risk. A key aspect of preventing these attacks lies in integrating threat intelligence into cybersecurity strategies. HITRUST emphasizes that assessments and controls informed by up-to-date threat intelligence are crucial in identifying and mitigating emerging risks. By embedding intelligence-driven controls into their operational security, organizations can proactively defend against evolving tactics used by cybercriminals, including brute force attacks. This continuous monitoring and refinement process allows for stronger protection of sensitive data and critical infrastructure.
We encourage all organizations, especially those in the healthcare and public health sectors, to review the joint cybersecurity advisory and ensure that appropriate safeguards are in place, including the use of strong authentication methods, continuous monitoring, and proactive threat intelligence. HITRUST will continue to support these efforts by delivering the tools and resources necessary to meet the highest standards of information protection and compliance.”
CISA warns of Iranian initial access brokers targeting critical infrastructure
Posted in Commentary with tags CISA on October 17, 2024 by itnerdYesterday, CISA published a joint advisory stating that Iranian hackers are acting as initial access brokers to gain access to critical infrastructure organizations to collect credentials and network data that can be sold on cybercriminal forums to enable cyberattacks by other threat actors.
The government agencies warn that since October 2023, Iranian actors have used brute force, such as password spraying, and MFA ‘push bombing’ or fatigue to compromise user accounts and obtain access to organizations.
Once threat actors obtain persistent access, they typically register their own devices with the organization’s MFA system, collect more credentials, escalate privileges, and learn about the breached systems and the network, allowing them to move laterally and identify other points of access and exploitation.
The agencies made numerous recommendations including but not limited to:
The alert is co-authored by the FBI, NSA, the Communications Security Establishment Canada, the Australian Federal Police, and the Australian Signals Directorate’s Australian Cyber Security Centre.
Evan Dornbush, former NSA cybersecurity expert has some perspective on this:
“Google released a report noting 70% of exploited flaws disclosed in 2023 were zero-days. Mandiant released a report noting attackers have incredibly decreased the time it takes to convert a disclosed flaw into an easily-available exploit product. Microsoft released a report noting that 78% of nation state activity is against the private sector, often in the form of for-profit actions. And CISA in collaboration with the UK and Australia are noting that criminals and governments are working together, sharing tools and access.
“The essential insight here is the necessity to evolve from purely reactive posturing, and shift to take proactive measures as part of one’s applied cybersecurity strategy. The amount of money criminals can earn is getting too little attention. It is too costly to defend, and too cheap to attack, and until we can affect a paradigm shift, things will continue to escalate.”
This is another one of those documents that’s required reading if your job is to keep your organization from getting pwned. Something that is getting harder to do these days.
UPDATE: I have two more comments on this. Starting with Avishai Avivi, CISO, SafeBreach:
“The CISA alert of Iranian cyber actors’ brute force and credential access activity is a good reminder – especially during cybersecurity awareness month – that these malicious actors are working to abuse ‘Multifactor Authentication (MFA) Exhaustion.’ If, as a good cyber-aware person, you’ve enabled MFA on your social networking, WhatsApp or other messaging apps, and bank accounts, you may have grown used to getting and approving MFA requests. The malicious actors hope you won’t pay attention and approve any MFA push notification you may receive. So, as a reminder, when you are prompted to authorize a session, please take a quick second to verify that you are the one who made that request. Malicious actors are constantly testing credentials they’ve obtained through breaches. They hope that the combination of these credentials and MFA exhaustion will let them take over your account. While the CISA alert specifically mentions critical infrastructure as the target of these malicious actors, this diligence is important to prevent access to your work and personal accounts.”
Followed by James Winebrenner, Chief Executive Officer, Elisity:
“On October 16, 2024, FBI, CISA, NSA, and other global government agencies published an advisory about how Iranian cyber actors recently compromised critical infrastructure organizations using brute force attacks and MFA bombing, then performed network discovery and lateral movement. This is just one more example of a nation-state cyber attack that used lateral movement. Also in 2024, China’s Volt Typhoon group compromised IT networks of multiple critical infrastructure organizations in the U.S., using lateral movement to access operational technology assets for potential disruptive attacks. North Korean hackers targeted aerospace and defense organizations with a new ransomware variant called FakePenny, using lateral movement for intelligence gathering. A modern identity-based microsegmentation platform would detect and prevent such unauthorized lateral movement attempts, preventing attackers from accessing sensitive systems even if initial credentials are compromised. CISOs and security architects want to look for a platform that provides comprehensive asset discovery and visibility and enables identity-based policies that enforce least-privilege access across users, devices, and applications, significantly reducing the attack surface and stopping threat actors from moving laterally within the network.”
Finally Ryan Patrick, VP of Adoption, HITRUST:
“In response to the recent joint advisory issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and their international counterparts, HITRUST acknowledges the escalating threat posed by Iranian cyber actors who are actively targeting critical infrastructure sectors, including healthcare and public health (HPH).
We recognize the critical importance of safeguarding sensitive data and systems in these highly targeted industries. The advisory highlights the need for organizations across healthcare, government, energy, and information technology to reinforce their defenses against advanced tactics, including brute force credential attacks. Cybercriminals are increasingly sophisticated in their efforts to exploit vulnerabilities and sell access to compromised networks, putting critical infrastructure at risk. A key aspect of preventing these attacks lies in integrating threat intelligence into cybersecurity strategies. HITRUST emphasizes that assessments and controls informed by up-to-date threat intelligence are crucial in identifying and mitigating emerging risks. By embedding intelligence-driven controls into their operational security, organizations can proactively defend against evolving tactics used by cybercriminals, including brute force attacks. This continuous monitoring and refinement process allows for stronger protection of sensitive data and critical infrastructure.
We encourage all organizations, especially those in the healthcare and public health sectors, to review the joint cybersecurity advisory and ensure that appropriate safeguards are in place, including the use of strong authentication methods, continuous monitoring, and proactive threat intelligence. HITRUST will continue to support these efforts by delivering the tools and resources necessary to meet the highest standards of information protection and compliance.”
Leave a comment »