- itscybernews
- Posts
- Iranian Cyber Actors’ Compromises Critical Infrastructure Organizations
Iranian Cyber Actors’ Compromises Critical Infrastructure Organizations
A Deep Dive into Access Brokering and Credential Theft
Iranian Cyber Actors’ Compromises Critical Infrastructure Organizations
Overview
CVE-2024-28995 is a critical directory traversal vulnerability in SolarWinds Serv-U, affecting versions 15.4 and earlier across multiple platforms including Windows and Linux. This vulnerability enables unauthenticated attackers to read arbitrary files on the system, potentially leading to sensitive data exposure. SolarWinds has released a hotfix (15.4.2 Hotfix 2) to mitigate this issue, and immediate updates are recommended.
Iranian Access Brokers: A Sophisticated Threat
According to a joint cybersecurity advisory from agencies including the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and similar agencies from Canada and Australia, Iranian hackers have been acting as initial access brokers. These hackers use brute-force techniques to compromise organizations and collect valuable data that is later sold to other cybercriminals or used in coordinated ransomware attacks.
Since October 2023, Iranian threat actors have been deploying brute-force methods like password spraying and exploiting multifactor authentication (MFA) systems using techniques like push bombing to gain unauthorized access to critical networks. This relentless pursuit of network infiltration enables hackers to sell credentials to ransomware operators and other threat actors, leading to further exploitation.
Looking for unbiased, fact-based news? Join 1440 today.
Upgrade your news intake with 1440! Dive into a daily newsletter trusted by millions for its comprehensive, 5-minute snapshot of the world's happenings. We navigate through over 100 sources to bring you fact-based news on politics, business, and culture—minus the bias and absolutely free.
Techniques Used by Iranian Hackers
1. Password Spraying and Brute Force Attacks
One of the primary techniques employed by Iranian cyber actors is password spraying. This involves attempting a few commonly used passwords across a large number of accounts, reducing the chances of detection by avoiding multiple login attempts on the same account, which could trigger lockout mechanisms. Iranian hackers typically target sectors like healthcare, energy, and government, where password hygiene may be inconsistent due to the reliance on older systems or lack of robust cybersecurity practices.
2. Multifactor Authentication (MFA) Fatigue
Another method gaining popularity among Iranian actors is MFA fatigue (push bombing). This technique bombards the victim’s device with repeated MFA authentication requests, overwhelming the user with notifications until they inadvertently or intentionally approve the sign-in attempt. This gives hackers a foothold in the target network, bypassing security measures that rely solely on user vigilance.
For example, once the hackers gain access to a compromised account, they attempt to register their own devices with the organization's MFA system, effectively ensuring future access. In confirmed cases, they leveraged self-service password reset (SSPR) tools and Active Directory Federation Service (ADFS) vulnerabilities to reset expired passwords, further solidifying their control over the compromised environment.
3. Compromising Cloud and Virtual Environments
In many of the attacks observed, Iranian hackers have also gained initial access to cloud environments such as Microsoft 365, Azure, and Citrix systems. Using compromised credentials, the attackers move laterally within the network, escalate privileges, and collect further information on domain controllers and enterprise systems.
Remote Desktop Protocol (RDP) and PowerShell Exploitation: Once inside, Iranian hackers have been observed using RDP to maintain persistent access and to move within the network. PowerShell, often opened through applications like Microsoft Word, is commonly used to deploy necessary binaries and carry out post-compromise activities.
4. Privilege Escalation via Zerologon Vulnerability
One of the most dangerous tactics used by Iranian hackers is exploiting CVE-2020-1472 (Zerologon), a critical vulnerability in Microsoft’s Netlogon that allows attackers to impersonate domain controllers and escalate privileges. By exploiting this flaw, the attackers gain access to the heart of the organization’s infrastructure, allowing them to manipulate systems, exfiltrate data, and even deploy ransomware.
5. Living Off the Land (LoTL)
After gaining access, Iranian hackers tend to rely on tools already present within the target environment (Living off the Land, or LoTL techniques). These tools help them to evade detection while gathering data on domain controllers, trusted domains, administrators, and other critical systems. This intelligence is vital for executing lateral movements and identifying additional points of exploitation across the compromised infrastructure.
Selling Access on Cybercriminal Forums
Once Iranian hackers gain access to networks, they act as brokers on cybercriminal forums, selling credentials and network access to other threat actors, including ransomware affiliates. One known Iranian actor, using the alias Br0k3r (also known as Pioneer Kitten, Fox Kitten, and Lemon Sandstorm), has been implicated in offering full domain control privileges to various networks around the world. These access sales have enabled ransomware operators to infiltrate schools, healthcare facilities, financial institutions, and government entities.
For their services, these access brokers often receive a cut of the ransom payments extracted from compromised organizations, further incentivizing this illicit trade.
Detecting Brute-Force and Credential Attacks
Given the increasing frequency of these attacks, it is critical for organizations to enhance their detection and response capabilities. Here are some key indicators and strategies to detect brute-force and credential attacks:
Monitor Authentication Logs: Look for signs of failed login attempts on valid accounts, particularly those spread across multiple accounts, which may indicate a password-spraying attack.
Impossible Logins: Check for login attempts from unusual geographic locations or multiple accounts logging in from the same IP address. These anomalies can signal the use of compromised credentials by threat actors.
MFA Registrations in Unusual Locations: Investigate new MFA registrations from unfamiliar devices or locales. These can be indicators that an attacker has registered their own device to an account.
Command Line Arguments: Review processes and command-line arguments that may indicate credential dumping or attempts to access sensitive files like ntds.dit, which contains password hashes.
Privileged Account Usage: Be on the lookout for suspicious activity in privileged accounts, especially after password resets or other account changes. These accounts are often the target of attackers seeking to escalate their access.
Recommendations for Strengthening Cybersecurity
To defend against these sophisticated attacks, the joint advisory recommends several mitigations that organizations should adopt:
Implement Strong MFA Policies: Use more robust MFA mechanisms to prevent push bombing attacks. Limiting the number of MFA requests and using physical tokens can provide an extra layer of protection.
Regular Patching: Ensure that all systems, particularly those with known vulnerabilities like Zerologon, are patched and up to date.
Network Segmentation: Divide critical infrastructure from general-purpose networks to limit the ability of attackers to move laterally within the organization.
Continuous Monitoring and Threat Hunting: Deploy advanced security monitoring solutions that use machine learning and threat intelligence to detect anomalous behavior indicative of a breach.
Incident Response Plans: Ensure that organizations have a robust incident response plan in place, ready to counteract ransomware deployments and other cyber threats.
How are you finding our content this far? |
Conclusion
The convergence of state-sponsored cyber activity and cybercrime has led to a dangerous escalation in the threat landscape. Iranian actors, acting as both direct attackers and access brokers, are capitalizing on vulnerabilities in critical infrastructure organizations, with serious consequences for public safety and national security. As these attacks become more sophisticated, organizations must adopt a proactive stance in cybersecurity, leveraging advanced tools, robust authentication protocols, and continuous monitoring to protect their networks from this growing threat.
References
Iranian State Hackers Act As Access Brokers For Ransomware Gangs, The Cyber Express(Iranian State Hackers A…).
Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations, CISA(Iranian Cyber Actors’ B…).
Iranian hackers act as brokers selling critical infrastructure access, Bleeping Computer(Iranian hackers act…).