Australian agencies join international partners in warning of Iranian hacking campaign
The AFP and ASD’s ACSC have issued a joint advisory outlining Iranian threat actors’ “brute force” tactics against critical infrastructure entities.
The Australian Federal Police (AFP) and the Australian Cyber Security Center (ACSC) of the Australian Signals Directorate (ASD) have today (October 17) issued a joint advisory with other international agencies to warn of a cyber -ongoing Iranian-backed campaign targeting critical infrastructure.
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) of the United States were also signatories, alongside the Communications Security Establishment Canada.
Iranian threat actors have been observed using a wide range of techniques to access the network of critical infrastructure entities in the IT, government, healthcare, energy and engineering sectors , particularly “brute force” tactics such as password spraying and a technique known as pushing. bombing to bypass multi-factor authentication. The activity has been observed since October 2023.
According to Ray Carney, research director at cybersecurity firm Tenable, push bombing “is a tactic employed by threat actors who flood or bombard a user with MFA push notifications in an attempt to manipulate the user into he approves the request, either unintentionally or inappropriately. boredom”.
“This tactic is also called MFA fatigue,” Carney said.
Iranian hackers also used publicly available password reset systems to access accounts using expired passwords.
Once an account has been compromised, bad actors set up MFA again – on their own devices – to maintain persistence, then perform network reconnaissance, looking for more user credentials and any information likely to access additional points on the network.
Hackers also use Remote Desktop Protocol and PowerShell to acquire lateral movement and off-field living techniques to gather more network and user information. In some cases, data has been exfiltrated, but overall, Iranian actors are selling harvested credentials and network access on criminal hacking forums, leading to further malicious activity.
“Selling access to systems following a compromise can have a wide range of direct and indirect consequences, such as ransomware attacks, data breaches, supply chain breaches and direct control compromised systems, leading to escalation and secondary impacts to downstream users. like power outages or water contamination,” Carney said.
“This is a serious problem that critical infrastructure operators have a responsibility to their customers to resolve. »
Read the full advisory, with detailed indicators of compromise and mitigation tips, here.