Iranian hackers act as Initial Access Brokers (IAB), selling access to critical infrastructure organizations in the West to the highest bidder.
A joint safety advice recently published by the US Cybersecurity and Infrastructure Agency (CISA), together with the FBI, NSA, the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP) and the Australian Cyber Security Center of the Australian Signals Directorate ( ASCS), claims that Iranian threat actors are actively involved in brute force attacks (password distribution, MFA push bombing and the like).
As of October 2023, these unnamed organizations have focused on healthcare and public health, government, information technology, engineering and energy organizations.
CISA recommendations
Their goal is to obtain login credentials and map the intended victim’s infrastructure. They then establish persistence in various ways, including changing MFA registrations.
This information is then sold on the dark web. “The authoring agencies assess that Iranian actors are selling this information in cybercriminal forums to actors who can use the information to conduct additional malicious activities,” the report said.
To defend against these attacks, CISA and friends recommend that companies review IT helpdesk password management regarding initial passwords, user lockout password resets, and shared passwords. They should also disable user accounts and access to organizational resources for departing employees, implement phishing-resistant MFA, and continually review MFA settings.
Additionally, they must provide their employees with basic cybersecurity training, track failed login attempts, and let users decline MFA requests they did not generate. Finally, they must ensure that users with MFA accounts have MFA properly set up, ensure password policies align with the latest NIST Digital Identity Guidelines, and meet minimum password strength requirements.
These are all considered best cybersecurity practices, CISA concludes, “aimed at meaningfully reducing risk to both critical infrastructure operations and the American people.”