Ethical Hacking News
Recent warnings from cybersecurity agencies around the world have shed light on a new wave of Iranian cyberattacks that are part of a year-long campaign to infiltrate critical infrastructure organizations. The attacks use brute force and password spraying, as well as sophisticated tactics such as MFA prompt bombing and living-off-the-land tools. Organizations must take proactive measures to protect themselves against these types of attacks.
In a year-long campaign, Iranian cyberattacks aim to infiltrate critical infrastructure organizations via brute-force attacks. The attacks use sophisticated tactics, including password spraying and multi-factor authentication (MFA) prompt bombing to penetrate networks. The attackers employ living-off-the-land (LotL) tools for extensive reconnaissance of compromised networks. The initial access gained is followed by steps to escalate privileges via CVE-2020-1472, a known vulnerability. The end goal is to obtain credentials and information describing the victim's network for sale to enable access to other cybercriminals.
The threat landscape is constantly evolving, and recent warnings from cybersecurity agencies around the world have shed light on a new wave of Iranian cyberattacks. These attacks, which are part of a year-long campaign, aim to infiltrate critical infrastructure organizations via brute-force attacks, leveraging sophisticated tactics to gain access to sensitive information.
In October 2023, Iranian actors began using brute force and password spraying to compromise user accounts and obtain access to organizations in various sectors, including healthcare, government, information technology, engineering, and energy. This initial wave of attacks marked the beginning of a sustained campaign that has continued unabated ever since.
The attackers have employed several tactics to achieve their goals, including the use of multi-factor authentication (MFA) prompt bombing to penetrate networks of interest. This tactic involves flooding users with MFA push notifications in an effort to manipulate them into approving requests either unintentionally or out of annoyance. The Australian Signals Directorate's Australian Cyber Security Centre (ACSC) and other agencies have warned about this tactic, which is also referred to as MFA fatigue.
Another notable tactic employed by the attackers is the use of living-off-the-land (LotL) tools to conduct extensive reconnaissance of compromised networks. This involves using existing tools and software that are already present on the target system, rather than introducing new malware or software. The attackers have also been found to register their own devices with MFA to maintain persistence.
The initial access gained by the attackers is followed by steps to escalate privileges via CVE-2020-1472 (aka Zerologon), a known vulnerability that can be exploited to gain elevated access to systems. The threat actors then use lateral movement techniques, such as RDP, to move laterally within the network and gain further access.
The end goal of these attacks is to likely obtain credentials and information describing the victim's network that can then be sold to enable access to other cybercriminals. This information can be used to identify vulnerabilities in the system, allowing attackers to exploit them and gain further access.
Cybersecurity agencies have warned about this threat for months, urging organizations to take proactive measures to protect themselves. The U.S. Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and other agencies have issued alerts and guidance on how to prevent these types of attacks.
The alert comes as nation-state hacking crews are increasingly collaborating with cybercriminals, outsourcing some parts of their operations to further their geopolitical and financial motives. This trend is reflected in a recent report by Microsoft, which noted that nation-state threat actors conduct operations for financial gain, enlist cybercriminals to collect intelligence on the Ukrainian military, and make use of the same infostealers, command-and-control frameworks, and other tools favored by the cybercriminal community.
As organizations prepare for the holiday season, they must also take steps to protect themselves against these types of attacks. The threat landscape is constantly evolving, and it's essential to stay informed about the latest threats and tactics used by attackers.
Related Information:
https://thehackernews.com/2024/10/us-and-allies-warn-of-iranian.html
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a
Published: Fri Oct 18 07:14:43 2024 by llama3.2 3B Q4_K_M
