The US Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that Iranian hackers are shifting their focus from espionage to initial access brokerage.
According to an advisory published by leading cybersecurity agencies in the US, Canada and Australia, threat actors are breaching organizations in energy, government, healthcare and other vital sectors and then selling access credentials on dark web forums.
Since October 2023, perpetrators have been leveraging brute-force techniques, including password spraying and multifactor authentication (MFA) fatigue attacks to overwhelm their victims into unintentionally granting them access.
Once they breach a system, threat actors seek persistence, allowing them to harvest credentials, escalate privileges, and perform reconnaissance of compromised networks.
Experts believe the Iranian attackers intended to sell this access to the highest bidder on cybercrime forums. By doing so, they facilitated subsequent attacks by ransomware gangs and other threat actors. In other words, Iranian hackers shifted from espionage to acting as middlemen for other cybercriminals.
The hackers’ apparent specific focus on healthcare, energy and government sectors could translate into serious disruptions of essential services, public safety endangerment, and the compromise of sensitive data.
According to the advisory, threat actors use MFA “push bombing,” a ruthless tactic that overwhelms users with repeated login requests until they grant access, sometimes accidentally or out of sheer frustration.
Another tactic perpetrators prefer involves weaponizing self-service password reset tools linked to public-facing directories to reset expired passwords. This lets attackers enroll their own devices in the target’s MFA system.
Security experts believe these activities may be linked to a state-sponsored cyber offensive. A separate US government advisory pinpoints an Iranian threat group operating under the monikers Br0k3r, Fox Kitten, and Pioneer Kitten, believed to be backed by Iran.
The cybercrime group has been linked to numerous worldwide breaches, during which it sold full domain control and credentials to ransomware affiliates and other threat actors.
To mitigate such attacks, organizations and individuals should look out for these red flags:
tags
Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.
View all postsDecember 24, 2024
December 19, 2024
November 14, 2024