Cybersecurity agencies from the U.S., Australia, and Canada have issued a comprehensive advisory about an ongoing year-long cyberattack campaign by Iranian hackers targeting critical infrastructure sectors. These sectors include healthcare, energy, IT, and government. The attackers have utilized brute-force tactics, password spraying, and MFA (multi-factor authentication) prompt bombing to compromise accounts, gaining access to sensitive networks. Once inside, they use advanced techniques such as "living-off-the-land" tools, privilege escalation via Zerologon (CVE-2020-1472), and Cobalt Strike for persistence. These intrusions typically lead to stolen credentials being sold on cybercriminal forums.
This campaign, which has been underway since October 2023, focuses on gaining unauthorized access to organizations by exploiting user account weaknesses. MFA prompt bombing is one of the key tactics in this effort, where hackers flood a user with MFA notifications, hoping the user will approve the access out of confusion or frustration. Experts suggest using phishing-resistant MFA systems, or as an alternative, number matching for added security. The number matching process requires users to input a specific time-sensitive code, providing an extra layer of authentication.
Once inside a network, attackers conduct extensive reconnaissance, mapping out the internal systems and gathering additional credentials. They use sophisticated tools and techniques such as Remote Desktop Protocol (RDP) for lateral movement and escalate their privileges through the Zerologon vulnerability. This allows them to establish persistence and further compromise the network. The attackers have been seen registering their own devices with compromised MFA systems to maintain access for future operations.
The ultimate goal of these cyberattacks is often financial, with stolen data and network credentials being sold on cybercriminal forums. The agencies’ advisory aligns with previous warnings about the increasing cooperation between nation-state actors and cybercriminals. This cooperation is blurring the lines between financially motivated attacks and geopolitical cyber-operations. For example, Iranian nation-state actors have been reported to engage with cybercriminal groups, outsourcing parts of their operations to achieve both financial gain and geopolitical objectives.
This advisory comes on the heels of other warnings from the Five Eyes countries, who have highlighted the risks associated with Active Directory compromises. Active Directory remains one of the most targeted elements of enterprise IT networks, and the new guidance stresses the importance of securing these systems to prevent privilege escalation and data theft. Microsoft’s 2024 Digital Defense Report echoes these concerns, noting that nation-state threat actors are increasingly enlisting the help of cybercriminals and using the same tools, such as infostealers and command-and-control frameworks, for their operations.
In light of these threats, cybersecurity agencies are urging organizations to strengthen their defenses, particularly around user authentication and MFA protocols. The use of phishing-resistant MFA is strongly recommended, along with best practices for securing Active Directory and mitigating brute-force attacks.
Source: The Hacker News
Interesting
ردحذفإرسال تعليق