You could call the brute force used by Iranian threat actors to compromise organizations across multiple critical infrastructures โtextbook APT,’ John Terrill, CISO at Phosphorus, says. But this one could signal an escalation, leading CISA to publish the alert.
Per ISS Source, Iranian cyber actors are using brute force and other techniques to target sectors including engineering, energy, healthcare and public health (HPH), government, and information technology. These threat actors aim to obtain credentials and information describing the victimโs network that can then be sold to enable access to cyber criminals.
In this advisory, global security agencies said since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) โpush bombingโ to compromise user accounts and obtain access to organizations.
As John Terrill tells Industrial Cyber:
โThereโs nothing particularly groundbreaking from this alert as it follows a series of common patterns you could describe as โtextbook APT.’ I think whatโs interesting is how common MFA bypass has become. Push bombing or MFA fatigue was really only observed in account takeovers related to crypto accounts. This could be a natural progression of the actorsโ TTPs, but it could also signal an escalation, which is why CISA felt it necessary to publish this alert.โ
He goes on to say that brute forcing accounts and exploiting default or weak passwords is nothing new. The issues are commonly faced in IoT and OT environments, but there’s an assumption that modern IT environments have them under better control.
Related Posts
Even as U.S. government agencies contemplate a ban on TP-Link routers, two-thirds of Americans...
On December 16, 2024, the FBI issued a Private Industry Notification (PIN) alerting organizations...
