The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Communications Security Establishment Canada (CSE), the National Security Agency (NSA), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), and the Australian Federal Police (AFP) issued joint cybersecurity warning to tell Healthcare and public health (HPH) and other critical infrastructure sectors that Iranian cyber actors are using brute force tactics to gain initial access to critical infrastructure entities in the U.S.
The agencies noticed that Iranian cyber actors are employing brute force tactics like multifactor authentication (MFA) push bombing and password spraying to get credentials and data that enable them to penetrate networks, then they could steal more credentials, change user privileges, and stay persistent. Password spraying means using default and frequently used passwords to try to access accounts. The Iranian cyber actors particularly choose Microsoft 365, Citrix, and Azure accounts and target them.
When a system is installed with push notification-based MFA, threat actors could use push bombing. They bombard users with push notifications hoping that they would approve the request by mistake or get irritated and accept the request to stop the notifications. Upon approval of the push notifications, the threat actors register their devices so they can view MFA requests to get access to the breached account.
In several instances, the threat actors utilized a breached user’s open registration for MFA to sign up their device. In one attack, the self-service password reset tool of a public-facing Active Directory Federation Service (ADFS) is used for resetting accounts that have expired passwords. Then, the attacker signed up the MFA via Okta for the breached accounts without an enabled MFA. The attackers are using the Remote Desktop Protocol for lateral movement and living-off-the-land techniques for collecting data associated with the targeted internal networks. They also sell access to the breached systems to cybercriminal groups.
The cybersecurity alert includes the recommendations for identifying brute force activity listed below:
- Checking records for ‘impossible logins,’ like IP addresses that don’t line up with the user’s estimated location, sign-ins from several IP addresses that are impossible because of the distance and time between locations, and strange user agent strings.
- Keeping track of MFA registrations by the IT team. Registrations should not be in unusual locations or from unknown devices.
- Program execution command-line arguments should not indicate suspicious usage of privileged accounts after a password reset.
- Watch out for credential dumping and strange activity in dormant accounts.
Suggested mitigations consist of the following:
- Deactivating abandoned user accounts
- Checking procedures for resetting passwords and user lockouts
- Applying phishing-resistant MFA instead of push notification-based MFA
- Modifying all default passwords and adopting the most recent NIST password advice
- Offering basic cybersecurity training (which is also required in HIPAA training) to all users, such as the discovery of unsuccessful sign-in attempts, rejecting MFA requests that aren’t made by the user, and making sure that MFA is configured correctly.