Alert Issued on Iranian Threat Actors Attacking Critical Infrastructure Entities

by | Oct 20, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Communications Security Establishment Canada (CSE), the National Security Agency (NSA), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), and the Australian Federal Police (AFP) issued joint cybersecurity warning to tell Healthcare and public health (HPH) and other critical infrastructure sectors that Iranian cyber actors are using brute force tactics to gain initial access to critical infrastructure entities in the U.S.

The agencies noticed that Iranian cyber actors are employing brute force tactics like multifactor authentication (MFA) push bombing and password spraying to get credentials and data that enable them to penetrate networks, then they could steal more credentials, change user privileges, and stay persistent. Password spraying means using default and frequently used passwords to try to access accounts. The Iranian cyber actors particularly choose Microsoft 365, Citrix, and Azure accounts and target them.

When a system is installed with push notification-based MFA, threat actors could use push bombing. They bombard users with push notifications hoping that they would approve the request by mistake or get irritated and accept the request to stop the notifications. Upon approval of the push notifications, the threat actors register their devices so they can view MFA requests to get access to the breached account.

In several instances, the threat actors utilized a breached user’s open registration for MFA to sign up their device. In one attack, the self-service password reset tool of a public-facing Active Directory Federation Service (ADFS) is used for resetting accounts that have expired passwords. Then, the attacker signed up the MFA via Okta for the breached accounts without an enabled MFA. The attackers are using the Remote Desktop Protocol for lateral movement and living-off-the-land techniques for collecting data associated with the targeted internal networks. They also sell access to the breached systems to cybercriminal groups.

The cybersecurity alert includes the recommendations for identifying brute force activity listed below:

  • Checking records for ‘impossible logins,’ like IP addresses that don’t line up with the user’s estimated location, sign-ins from several IP addresses that are impossible because of the distance and time between locations, and strange user agent strings.
  • Keeping track of MFA registrations by the IT team. Registrations should not be in unusual locations or from unknown devices.
  • Program execution command-line arguments should not indicate suspicious usage of privileged accounts after a password reset.
  • Watch out for credential dumping and strange activity in dormant accounts.

Suggested mitigations consist of the following:

  • Deactivating abandoned user accounts
  • Checking procedures for resetting passwords and user lockouts
  • Applying phishing-resistant MFA instead of push notification-based MFA
  • Modifying all default passwords and adopting the most recent NIST password advice
  • Offering basic cybersecurity training (which is also required in HIPAA training) to all users, such as the discovery of unsuccessful sign-in attempts, rejecting MFA requests that aren’t made by the user, and making sure that MFA is configured correctly.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy