A joint Cybersecurity Advisory was published on October 16 by six agencies titled, “Iranian cyber actors’ brute force and credential access activity compromises critical infrastructure organizations.”
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released the warning to network defenders. Affected sectors could be healthcare and public health (HPH), government, information technology, engineering, and energy sectors.
The advisory lists the “actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). The information is derived from FBI engagements with entities impacted by this malicious activity.”
The agencies provide recommendations and guidance for affected organizations in the advisory.
According to the statement, “Since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access. The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity.”