An advisory from the CISA, FBI, NSA, their and international partners has been released, warning that Iranian cyber actors are targeting critical infrastructure entities via brute force. The advisory states that since October of 2023, Iranian cyber actors have leveraged brute force and password spraying to compromise user accounts, thus gaining access to organizations in government, information technology, energy, engineering and healthcare and public health (HPH) sectors. 

 Avishai Avivi, CISO at SafeBreach, comments, “The CISA alert of Iranian cyber actors’ brute force and credential access activity is a good reminder — especially during Cybersecurity Awareness Month — that these malicious actors are working to abuse ‘Multifactor Authentication (MFA) Exhaustion.’ If, as a good cyber-aware person, you’ve enabled MFA on your social networking, WhatsApp or other messaging apps, and bank accounts, you may have grown used to getting and approving MFA requests. The malicious actors hope you won’t pay attention and approve any MFA push notification you may receive. So, as a reminder, when you are prompted to authorize a session, please take a quick second to verify that you are the one who made that request. Malicious actors are constantly testing credentials they’ve obtained through breaches. They hope that the combination of these credentials and MFA exhaustion will let them take over your account. While the CISA alert specifically mentions critical infrastructure as the target of these malicious actors, this diligence is important to prevent access to your work and personal accounts.”

Threat actors leveraging lateral movement 

While the warning discusses Iranian cyber actors, it is important to keep in mind that these cyber actors are not the only nation-state actors utilizing lateral movement. James Winebrenner, Chief Executive Officer at Elisity, discusses some other instances of nation-state threat actors using similar tactics. 

“On October 16, 2024, FBI, CISA, NSA, and other global government agencies published an advisory about how Iranian cyber actors recently compromised critical infrastructure organizations using brute force attacks and MFA bombing, then performed network discovery and lateral movement. This is just one more example of a nation-state cyber attack that used lateral movement,” Winebrenner states. “Also in 2024, China’s Volt Typhoon group compromised IT networks of multiple critical infrastructure organizations in the United States, using lateral movement to access operational technology assets for potential disruptive attacks. North Korean hackers targeted aerospace and defense organizations with a new ransomware variant called FakePenny, using lateral movement for intelligence gathering. A modern identity-based microsegmentation platform would detect and prevent such unauthorized lateral movement attempts, preventing attackers from accessing sensitive systems even if initial credentials are compromised. CISOs and security architects want to look for a platform that provides comprehensive asset discovery and visibility and enables identity-based policies that enforce least-privilege access across users, devices and applications, significantly reducing the attack surface and stopping threat actors from moving laterally within the network.”

Defending against brute force credential attacks

The advisory encourages critical infrastructure organizations to use strong password and MFA. Furthermore, the advisory provides details regarding indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) deployed by Iranian cyber actors to help organizations identify the threat group’s methods. 

“The advisory highlights the need for organizations across healthcare, government, energy and information technology to reinforce their defenses against advanced tactics, including brute force credential attacks,” says Ryan Patrick, VP of Adoption at HITRUST. “Cybercriminals are increasingly sophisticated in their efforts to exploit vulnerabilities and sell access to compromised networks, putting critical infrastructure at risk. A key aspect of preventing these attacks lies in integrating threat intelligence into cybersecurity strategies. Assessments and controls informed by up-to-date threat intelligence are crucial in identifying and mitigating emerging risks. By embedding intelligence-driven controls into their operational security, organizations can proactively defend against evolving tactics used by cybercriminals, including brute force attacks. This continuous monitoring and refinement process allows for stronger protection of sensitive data and critical infrastructure.”