Iranian hackers are acting as Initial Access Brokers (IAB), selling access to critical infrastructure organizations in the West to the highest bidder. A joint security advisory recently published by the US Cybersecurity and Infrastructure Agency (CISA), together with the FBI, NSA, the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ASCS), claims Iranian threat actors are actively engaged in brute force attacks (password spraying, MFA push bombing, and similar).
Since October 2023, these unnamed organizations have been targeting healthcare and public health (HPH) organizations, the government, information technology, engineering, and energy sectors.[1]
CISA recommendations – Iran’s goal is to obtain login credentials, and to map out the target victim’s infrastructure. They then establish persistence in various ways, including modifying MFA registrations. This information is then sold on the Dark Web. “The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity,” the report says.
To defend against these attacks, CISA and allies suggest firms review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared passwords. They should also disable user accounts and access to organizational resources for departing staff, implement phishing-resistant MFA, and continuously review MFA settings. Furthermore, they should provide their employee’s basic cybersecurity training, track unsuccessful login attempts, and have users deny MFA requests they did not generate. Finally, they should ensure users with MFA-enabled accounts have appropriately set up MFA, ensure password policies that align with the latest NIST Digital Identity Guidelines, and meet the minimum password strength.
All of these points are considered best cybersecurity practices, CISA concludes, “aimed at meaningfully reducing risks to both critical infrastructure operations and the American people.”
Since 2018 (and even before that), Red Sky has been reporting on Iranian hackers. Since 2018, Iran has developed a very strong hacking program and causing havoc worldwide.
https://redskyalliance.org/xindustry/iranian-apt-groups
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.msn.com/en-us/news/technology/cisa-issues-advisory-on-iranian-brokers-selling-access-to-critical-infrastructure/ar-AA1ssqEt/
Comments