October 16, 2024 at 07:22PM
Iranian hackers are infiltrating critical infrastructure sectors, including healthcare and government, using brute-force methods to acquire credentials for resale on criminal forums. A joint advisory from U.S., Canadian, and Australian cybersecurity agencies details these tactics, emphasizing the need for organizations to enhance security measures and monitor for unusual login activities.
### Meeting Takeaways:
1. **Iranian Hacker Activity**:
– Iranian hackers are targeting critical infrastructure organizations to steal credentials and network data for resale on cybercriminal forums, facilitating further cyberattacks by other actors.
2. **Sector Focus**:
– Primary targets include the healthcare and public health (HPH), government, IT, engineering, and energy sectors.
– Iranian hackers are believed to act as initial access brokers using brute-force methods.
3. **Brute-Force Techniques**:
– The hackers employ password spraying and MFA push bombing to compromise user accounts.
– After gaining access, they focus on maintaining persistent access and expanding their footprint within the network.
4. **Attack Methods**:
– Use of self-service password resets and exploiting vulnerabilities in systems like ADFS and Microsoft 365 to gain further access.
– They move within networks using Remote Desktop Protocol (RDP) and may utilize PowerShell scripts.
5. **Credential Theft**:
– Collection of additional credentials appears to be facilitated by open-source tools for stealing Kerberos tickets and accessing Active Directory accounts.
6. **Privilege Escalation**:
– A notable technique involves impersonating domain controllers, potentially by exploiting the Zerologon vulnerability (CVE-2020-1472).
7. **Br0k3r Threat Actor**:
– The U.S. government has previously indicated an Iranian threat actor known as Br0k3r, who offers domain control privileges and works alongside ransomware affiliates.
8. **Detection Recommendations**:
– Review authentication logs for unusual login attempts and investigate ‘impossible logins’ (geographic anomalies).
– Monitor for MFA registrations from unexpected locations and scan for abnormal privileged account use.
9. **Mitigation Strategies**:
– Implement measures to improve security posture against identified tactics, techniques, and procedures (TTPs).
– Utilize indicators of compromise such as malicious file hashes, IP addresses, and devices implicated in attacks.
10. **Additional Resources**:
– Continued advisories and updates from agencies like CISA, FBI, NSA, and Australian counterparts will provide further insights into the threats posed by these actors.
### Action Items:
– Review security protocols and response plans in light of the advisory.
– Conduct a thorough audit of authentication logs and account activities across critical systems.
– Ensure all systems, particularly those vulnerable to identified attack vectors, are updated and patched accordingly.