Researchers have warned that Iranian attackers are hacking critical infrastructure organizations to collect credentials and network information, then selling that information on hacking forums to other criminals.
Authorities in the US, Canada and Australia have warned that Iranian hackers are increasingly acting as access brokers, saying criminals are using brute force to gain access to organisations in healthcare and public health, government, information technology, engineering and energy.
“Since October 2023, Iranian actors have been using brute-force attacks, such as password spraying and multi-factor authentication (MFA) push bombing, to compromise user accounts and gain access to organizations,” the joint report said.
The attackers then seek to gain persistent access to the target network, typically using brute force as well. They then collect additional credentials, escalate privileges, and study the compromised systems and network, allowing them to move forward and find other access points and exploits.
RDP is usually used to navigate the network, and sometimes hackers deploy the necessary binaries using PowerShell and Microsoft Word. It is assumed that open source tools are used to collect additional data, for example, to steal Kerberos tickets.
To escalate privileges, hackers are trying to impersonate a domain controller, “likely exploiting the CVE-2020-1472 vulnerability in Microsoft Netlogon (also known as Zerologon ),” the experts write.
Authorities have not disclosed all the methods used in such attacks, but say that in some cases hackers used password spraying techniques to gain access to existing user and group accounts.
Another method mentioned is push bombing, in which attackers bombard the target’s mobile phone with MFA requests in order to harass the user until they approve a login attempt (either accidentally or to stop the flood of notifications).
It is also noted that Iranian hackers used as yet unknown techniques to gain access to Microsoft 365, Azure and Citrix environments.
Once they have gained access to an account, attackers typically seek to register their devices in the organization’s MFA system
You must be logged in to post a comment.