Share this article on:
The AFP and the ASD’s ACSC have released a joint advisory describing the “brute force” tactics of Iranian threat actors against critical infrastructure entities.
The Australian Federal Police (AFP) and the Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) released a joint advisory today (17 October) with other international agencies to warn of an ongoing Iran-backed cyber campaign targeting critical infrastructure.
The United States’ FBI, Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) were also signatories, alongside the Communications Security Establishment Canada.
Iranian threat actors have been observed using a wide range of techniques to gain network access to critical infrastructure entities in the IT, government, healthcare, energy, and engineering sectors, particularly “brute force” tactics such as password spraying and a technique known as push bombing to get around multifactor authentication. The activity has been observed since October 2023.
According to cyber security company Tenable’s research director, Ray Carney, push bombing “is a tactic employed by threat actors that floods, or bombs, a user with MFA push notifications with the goal of manipulating the user into approving the request either unintentionally or out of annoyance”.
“This tactic is also referred to as MFA fatigue,” Carney said.
The Iranian hackers have also used publicly facing password reset systems to gain access to accounts using expired passwords.
Once an account has been compromised, the threat actors set up MFA again – on their own devices – to maintain persistence, and then go about network reconnaissance, looking for more user credentials and any information that could gain access to additional points on the network.
The hackers also use Remote Desktop Protocol and PowerShell to gain lateral movement and living-off-the-land techniques to gather further network and user information. In some instances, data was exfiltrated, but in the main, the Iranian actors are selling the gathered credentials and network access on criminal hacking forums, leading to further malicious activity.
“The sale of systems access as a result of compromise can have a wide range of direct and indirect consequences, like ransomware attacks, data breaches, supply chain breaches, and direct control of breached systems resulting in escalation and secondary impacts to downstream users – such as power outages or water contamination,” Carney said.
“This is a serious issue that critical infrastructure operators have a responsibility to their customers to resolve.”
Read the full advisory, with detailed indicators of compromise and mitigation advice, here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.