The US government, along with its allies Canada and Australia, has warned of a growing threat from Iranian hackers who are breaching critical infrastructure organizations. These hackers act as brokers, selling access to networks that can be used by other cyberattackers.
Iranian hackers use brute-force techniques, such as password spraying and multifactor authentication “push bombing,” to gain unauthorized access to healthcare and public health, government, information technology, engineering, and energy sectors. They aim to obtain persistent access to the target network, often using these techniques to escalate privileges and learn about the breached systems.
The hackers also use methods that have yet to be determined to gain initial access to Microsoft 365, Azure, and Citrix environments. Once they gain access, they typically try to register their devices with the organization’s MFA system or exploit vulnerabilities in Microsoft’s Netlogon privilege escalation vulnerability.
To detect these attacks, organizations should review authentication logs for failed logins on valid accounts and expand their search to multiple accounts. They should also look for unusual activity, such as MFA registrations from unfamiliar devices or processes that may indicate credential dumping.
The US government has issued a joint advisory with its allies to provide guidance on detecting and mitigating these attacks. The advisory includes a set of indicators of compromise and recommendations for improving an organization’s security posture against Iranian hackers’ tactics, techniques, and procedures.
Source: https://www.bleepingcomputer.com/news/security/iranian-hackers-act-as-brokers-selling-critical-infrastructure-access/