Iranian hackers set their sights on critical orgs’ passwords, CISA warns


Attackers are focusing on government, IT, energy, and other sectors, aiming to get their hands on access credentials, a prized item among high-level threat actors.

American, Australian, and Canadian cyber watchdogs have warned of Iranian hackers brute-forcing their way into critical infrastructure organizations. Areas of utmost interest for attackers are the healthcare and public health (HPH), government, information technology, engineering, and energy sectors, a joint advisory said.

Interestingly, attackers may not be entirely interested in impacting their target. The authorities believe the most probable aim is to get network access and a description of an organization’s systems, which can later be sold to the highest bidder.

ADVERTISEMENT

The modus operandi is known as “initial access brokering” in the infosec business, which means that while Iranian hackers provide details to access the network, their clients would do the actual hacking. Initial access brokers are rarely picky about who they sell stolen credentials to, a financially motivated cybergang, or a nation-state.

According to the advisory, Iranian hackers often attempt to brute-force desired organizations using password spraying and “push bombing” techniques. The latter involves exploiting multifactor authentication by flooding victim devices with notifications hoping the victim will accidentally approve one of them.

Once Iranian hackers go past the first line of defense, they roam the compromised network, collecting additional details that could later be used to gain access to connected systems. The broader the access, the higher the price attackers may later demand from buyers on dark web forums.

A joint advisory from the FBI, CISA, NSA, the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) provides organizations with techniques on how to secure their systems against intrusions.

However, the advisory notes that the minimum all organizations should do is ensure that every single account holder employs a strong password and uses at least two forms of authentication.