A joint advisory from U.S. and international cybersecurity agencies, including the FBI, CISA, NSA, and counterparts in Canada and Australia, has uncovered a year-long Iranian cyber campaign targeting critical infrastructure. The sectors affected include healthcare, government, IT, engineering, and energy, with attackers using brute-force techniques to compromise systems. These attacks, which began in October 2023, focus on methods like password spraying and multifactor authentication (MFA) push bombing to gain unauthorized access to user accounts. Once inside, Iranian threat actors sell this access to cybercriminal groups, further expanding the impact of their actions.
The attackers specifically target platforms such as Microsoft 365, Azure, and Citrix. They often exploit weak passwords or use brute-force methods to obtain valid user credentials, which are then used to access these systems. In many cases, attackers manipulate MFA registrations, enabling them to maintain persistent access to compromised networks. They use techniques like “MFA fatigue” attacks, where they bombard legitimate users with push notifications, hoping the user will eventually approve one by mistake.
Once access is obtained, the attackers probe the compromised network for additional credentials, elevated privileges, and information that can be sold or used for further exploitation. In some cases, the attackers reset expired passwords through self-service tools and register their own MFA devices, allowing continued access even when the original credentials expire. They also employ lateral movement techniques, using VPN services and Remote Desktop Protocol (RDP) to navigate the network. Tools like PowerShell are often used to launch attacks and conduct reconnaissance within compromised environments.
The advisory provides several indicators of compromise (IoCs), including suspicious login activity, multiple failed authentication attempts, and unusual MFA registrations. Security teams are urged to monitor for these signs and implement strong password policies, MFA, and enhanced monitoring of authentication logs. The report also highlights the importance of scrutinizing login patterns and using security measures to detect abnormal behavior, such as “impossible travel” scenarios or unexpected account activity. By addressing these vulnerabilities, organizations can better defend against Iranian brute-force attacks and reduce the risk of further exploitation.
