Iranian Cybercriminals Act as Brokers to Sell Access to Critical Infrastructure

October 16, 2024

Iranian cybercriminals are penetrating critical infrastructure organizations to accumulate credentials and network data, which they subsequently sell on cybercriminal platforms. This activity enables other cyber threat actors to execute cyberattacks. The hackers, suspected to be acting as initial access brokers, employ brute-force methods to gain access to organizations across various sectors, including healthcare and public health, government, IT, engineering, and energy.

A warning issued by America’s Cyber Defense Agency (CISA) outlines the recent activities and strategies utilized by Iranian hackers to breach networks and gather data that could offer additional points of entry. The alert was jointly authored by multiple agencies including the FBI, CISA, the NSA, the CSE, the AFP, and the ASD’s ACSC. “Since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations” - joint cybersecurity advisory.

Following the initial reconnaissance phase, the threat actors aim to secure persistent access to the targeted network, often using brute force techniques. Subsequent activities include gathering more credentials, escalating privileges, and familiarizing themselves with the compromised systems and network. This knowledge allows them to move laterally and identify other points of access and exploitation.

Various methods have been used in these attacks, including password spraying to access valid user and group accounts. Another observed method was MFA fatigue (push bombing), where cybercriminals inundate a target’s mobile phone with access requests, overwhelming the user until they approve the sign-in attempt, either by accident or to stop the notifications.

According to the advisory, Iranian hackers also used some yet-to-be-determined methods to gain initial access to Microsoft 365, Azure, and Citrix environments. Once they gain access to an account, the threat actors typically attempt to register their devices with the organization's MFA system. In two confirmed compromises, the actors used a compromised user’s open registration for MFA to register the actor’s own device to access the environment.

In another confirmed compromise, the actors used a self-service password reset (SSPR) tool associated with a public facing Active Directory Federation Service (ADFS) to reset accounts with expired passwords and then registered MFA through Okta for compromised accounts without MFA already enabled. Movement through the network was conducted via the Remote Desktop Protocol (RDP), sometimes deploying the necessary binaries using PowerShell opened through Microsoft Word.

To elevate privileges on the system, the hackers tried to impersonate the domain controller “likely by exploiting Microsoft’s Netlogon (also known as ”Zerologon”) privilege escalation vulnerability (CVE-2020-1472).” The threat actor relied on the tools available on the system (living off the land) to gather details about domain controllers, trusted domains, lists of administrators, enterprise admins, computers on the network, their descriptions, and operating systems.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.