Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. have issued a joint advisory warning about a year-long campaign by Iranian cyber actors aimed at infiltrating critical infrastructure organizations.
Since October 2023, these actors have utilized brute force attacks and password spraying techniques to gain unauthorized access to various sectors, including healthcare, government, information technology, engineering, and energy. The agencies involved, such as the Australian Federal Police (AFP), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), among others, are working together to counter these persistent threats.
In addition to brute force tactics, the cyber actors have employed multi-factor authentication (MFA) prompt bombing, also known as MFA fatigue, to penetrate networks. This technique bombards users with push notifications, hoping to annoy or trick them into approving unauthorized access requests. According to Ray Carney, director of research at Tenable, the best defense against this method is phishing-resistant MFA. However, if that's not feasible, using number matching as a backup can provide additional security. The goal of these attacks is to steal credentials and network information that can be sold to other cybercriminals, enabling further infiltration and malicious activity.
Once initial access is gained, the attackers conduct in-depth reconnaissance using tools like Cobalt Strike and escalate their privileges through vulnerabilities such as CVE-2020-1472 (Zerologon). The threat actors also register their own devices with MFA to maintain access to compromised networks. This trend highlights a growing collaboration between nation-state hackers and cybercriminal groups, as seen in a report by Microsoft, where financial gain and geopolitical motives increasingly drive these operations. The advisory comes shortly after guidance from the Five Eyes nations on protecting Active Directory, a critical target for attackers seeking to compromise enterprise IT networks.