Iranian Hackers Fuel Cybercrime with Infrastructure Access Deals

The US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that Iranian hackers are shifting their focus from espionage to initial access brokerage.

Iranian Hackers as Initial Access Brokers

According to an advisory published by leading cybersecurity agencies in the US, Canada and Australia, threat actors are breaching organizations in energy, government, healthcare and other vital sectors and then selling access credentials on dark web forums.

Since October 2023, perpetrators have been leveraging brute-force techniques, including password spraying and multifactor authentication (MFA) fatigue attacks to overwhelm their victims into unintentionally granting them access.

Once they breach a system, threat actors seek persistence, allowing them to harvest credentials, escalate privileges, and perform reconnaissance of compromised networks.

High-Profile Sectors in the Crosshairs

Experts believe the Iranian attackers intended to sell this access to the highest bidder on cybercrime forums. By doing so, they facilitated subsequent attacks by ransomware gangs and other threat actors. In other words, Iranian hackers shifted from espionage to acting as middlemen for other cybercriminals.

The hackers’ apparent specific focus on healthcare, energy and government sectors could translate into serious disruptions of essential services, public safety endangerment, and the compromise of sensitive data.

MFA Fatigue and Self-Service Password Resetting Exploited

According to the advisory, threat actors use MFA “push bombing,” a ruthless tactic that overwhelms users with repeated login requests until they grant access, sometimes accidentally or out of sheer frustration.

Another tactic perpetrators prefer involves weaponizing self-service password reset tools linked to public-facing directories to reset expired passwords. This lets attackers enroll their own devices in the target’s MFA system.

Iran’s State-Sponsored Cybercrime Role

Security experts believe these activities may be linked to a state-sponsored cyber offensive. A separate US government advisory pinpoints an Iranian threat group operating under the monikers Br0k3r, Fox Kitten, and Pioneer Kitten, believed to be backed by Iran.

The cybercrime group has been linked to numerous worldwide breaches, during which it sold full domain control and credentials to ransomware affiliates and other threat actors.

Signs of Compromise and Mitigation

To mitigate such attacks, organizations and individuals should look out for these red flags:

• Unexpected MFA registrations or attempts from unknown devices or unfamiliar locations
• Suspicious command-line activity that could indicate credential dumping
• Privileged account use after password resets or user account mitigations
• Sudden activity in previously dormant accounts, or in accounts that usually see little to no activity