Ethical Hacking News
Iranian hackers are now acting as brokers, selling access to critical infrastructure networks on the dark web. According to government agencies in the US, Canada, and Australia, these hackers use brute-force techniques such as password spraying and MFA 'push bombing' to breach networks. In order to elevate privileges, they rely on tools available on the system and leverage compromised credentials from virtual infrastructures. This emerging threat highlights the importance of robust security measures for organizations against evolving cyber threats.
In recent times, Iranian hackers have emerged as brokers selling critical infrastructure access to other threat actors. Iranian hackers use brute-force techniques, such as password spraying and multifactor authentication 'push bombing,' to compromise user accounts and obtain access to networks. Threat actors aim to obtain persistent access to the target network by registering their devices with MFA systems and using self-service password reset tools. Iranian hackers used unknown methods to obtain initial access to Microsoft 365, Azure, and Citrix environments. The Iranian hackers collect additional credentials using open-source tools to steal Kerberos tickets or retrieve Active Directory accounts. The U.S. government had earlier warned of an Iranian-based threat actor believed to be state-sponsored involved in obtaining initial access to networks. To detect brute-force attempts, organizations should review authentication logs and expand the search to multiple accounts. The agencies recommend looking for MFA registrations with unexpected locales or from unfamiliar devices.
The world of cyber threats has witnessed numerous actors, from nation-states to individual hackers, attempting to breach critical infrastructure organizations in recent times. However, a new actor has emerged in this space - Iranian hackers who are acting as brokers selling critical infrastructure access to other threat actors. According to government agencies such as the U.S., Canada, and Australia, these hackers use brute-force techniques to gain access to networks and collect data that can be sold on cybercriminal forums to enable further attacks.
The latest activity and methods used by Iranian hackers in breaching networks were described in an advisory published by America’s Cyber Defense Agency (CISA). The advisory is co-authored by the Federal Bureau of Investigation (FBI), CISA, the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC).
The alert states that since October 2023, Iranian actors have used brute force techniques such as password spraying and multifactor authentication ‘push bombing’ to compromise user accounts and obtain access to organizations. The push bombing technique involves bombarding a target’s mobile phone with access requests until the user approves the sign-in attempt.
Following initial access, threat actors aim to obtain persistent access to the target network, often using brute force techniques. They typically try to register their devices with the organization's MFA system and may use self-service password reset tools associated with public-facing Active Directory Federation Services to reset accounts with expired passwords.
The government agencies have also discovered that Iranian hackers used some methods yet unknown to obtain initial access to Microsoft 365, Azure, and Citrix environments. In one confirmed compromise, they leveraged a compromised user’s open registration for MFA to register the actor's own device to access the environment.
It is unclear how the Iranian hackers collect additional credentials but it is believed that this step is done with the help of open-source tools to steal Kerberos tickets or retrieve Active Directory accounts. To elevate privileges on the system, they relied on tools available on the system (living off the land) to gather details about domain controllers, trusted domains, lists of administrators, enterprise admins, computers on the network, their descriptions, and operating systems.
The U.S. government had earlier warned of an Iranian-based threat actor believed to be state-sponsored involved in obtaining initial access to networks belonging to various organizations in the U.S. The threat actor used the alias Br0k3r and provided "full domain control privileges, as well as domain admin credentials, to numerous networks worldwide."
To detect brute-force attempts, the joint advisory recommends that organizations review authentication logs for failed logins on valid accounts and expand the search to multiple accounts. Another sign of a potential intrusion attempt is the use of the same IP for multiple accounts or the use of IPs from different locations with a frequency that would not permit the user to travel the distance.
The agencies also recommend looking for MFA registrations with MFA in unexpected locales or from unfamiliar devices, checking for suspicious privileged account use after resetting passwords or applying user account mitigations, investigating unusual activity in typically dormant accounts, and scanning for unusual user agent strings.
A set of indicators of compromise including hashes for malicious files, IP addresses, and devices used in attacks are available in the advisory. The government agencies have also provided a set of mitigations that would improve an organization’s security posture against the tactics, techniques, and procedures (TTPs) observed with Iranian hackers’ activity.
The rise of Iranian hackers as brokers selling critical infrastructure access to other threat actors highlights the evolving nature of cyber threats. It is crucial for organizations to stay vigilant and implement robust security measures to detect and prevent such attacks.
Related Information:
https://www.bleepingcomputer.com/news/security/iranian-hackers-act-as-brokers-selling-critical-infrastructure-access/
https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3935330/iranian-cyber-actors-access-critical-infrastructure-networks/
Published: Wed Oct 16 23:09:35 2024 by llama3.2 3B Q4_K_M
