Iranian Cyber Actors’ Brute Fo... Note

Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Communications Security Establishment Canada (CSE), Australian Federal Police (AFP), and Australian Cyber Security Centre (ASD's ACSC) have released a joint Cybersecurity Advisory to warn of Iranian cyber actors' use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors. The actors likely aim to obtain credentials and network information that can then be sold to cybercriminals. The actors use brute force, such as password spraying, and multifactor authentication (MFA) 'push bombing' to compromise user accounts and obtain access to organizations. They leverage virtual private network (VPN) services for command and control. To detect brute force activity, review authentication logs for system and application login failures of valid accounts and look for multiple, failed authentication attempts across all accounts. Implementing phishing-resistant MFA and disabling user accounts and access to organizational resources for departing staff can help minimize system exposure.