October 18, 2024 at 08:00AM
Australian, Canadian, and U.S. cybersecurity agencies revealed a year-long Iranian cyber campaign targeting critical infrastructure, employing brute-force and password spraying attacks. Techniques like MFA prompt bombing were used for infiltrating systems in healthcare, government, and energy sectors, aiming to acquire credentials for further cybercriminal activities.
### Meeting Takeaways – October 18, 2024
1. **Joint Advisory on Iranian Cyber Threats**:
– Cybersecurity agencies from Australia, Canada, and the U.S. have issued warnings regarding a year-long campaign by Iranian cyber actors targeting critical infrastructure.
– Sectors affected: Healthcare, public health, government, IT, engineering, and energy.
2. **Attack Methods**:
– **Brute-force and Password Spraying**: Compromise of user accounts to gain access.
– **MFA Prompt Bombing**: Threat actors use excessive multi-factor authentication (MFA) requests to manipulate users into approving access.
3. **Recommendations for Prevention**:
– Use phishing-resistant MFA where possible.
– Implement number matching as a fallback option.
4. **Attack Goals**:
– Primary aim to steal credentials and sensitive network information for resale on cybercriminal forums.
– Follow-up actions involve reconnaissance, privilege escalation, and lateral movement within compromised networks.
5. **Technical Details of Attacks**:
– Usage of known vulnerabilities like CVE-2020-1472 (Zerologon) for privilege escalation.
– Establishment of outbound connections using msedge.exe to Cobalt Strike C2 infrastructure.
6. **Active Directory Compromise**:
– Common target for threat actors to escalate privileges within enterprise networks.
– Alerts coincide with guidance published on techniques for compromising Active Directory systems.
7. **Collaboration Between Threat Actors**:
– Nation-state hacking groups increasingly collaborating with cybercriminals, potentially outsourcing operations for financial gain and intelligence gathering.
8. **Follow-up**:
– Ongoing monitoring of the threat landscape and enhanced security measures recommended for organizations in vulnerable sectors.
This information is crucial for enhancing cybersecurity strategies and preparing against evolving threats from organized cyber actors.