Australian agencies join international partners to warn of Iranian hacking campaign

Aussie agencies join with international partners to warn of Iranian hacking campaign

Australian agencies join international partners to warn of Iranian hacking campaign

AFP and ASD ACSC have published a joint advisory outlining “brute force” tactics by Iranian threat actors against critical infrastructure entities.

The Australian Federal Police (AFP) and the Australian Signals Directorate’s (ASD) Australian Cyber ​​Security Center (ACSC) published a joint advisory today (October 17) with other international agencies to warn of an ongoing cyber campaign supported by Iran targeting critical infrastructure.

The United States FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the United States National Security Agency (NSA) were also signatories, along with the Canadian Communications Security Establishment.

Iranian threat actors have been observed using a wide range of techniques to gain network access to critical infrastructure entities in the IT, government, healthcare, energy and engineering sectors, particularly “brute force” tactics such as password spraying and a technique known as push. blitzes to bypass multi-factor authentication. The activity has been observed since October 2023.

According to cybersecurity company Tenable research director Ray Carney, push bombing “is a tactic employed by threat actors who flood or bombard a user with MFA push notifications with the goal of manipulating them into approving the request.” , whether inadvertently or unintentionally. inconvenience”.

“This tactic is also known as MFA fatigue,” Carney said.

Iranian hackers have also used public password reset systems to gain access to accounts that use expired passwords.

Once an account has been compromised, threat actors configure MFA again (on their own devices) to maintain persistence and then perform network reconnaissance, looking for more user credentials and any information that could potentially gain access. additional on the network.

Hackers also use Remote Desktop Protocol and PowerShell to gain lateral movements and life-of-the-land techniques to gather more network and user information. In some cases, data was exfiltrated, but in general, Iranian actors sell collected credentials and network access on criminal hacking forums, leading to more malicious activities.

“Selling access to systems as a result of a compromise can have a wide range of direct and indirect consequences, such as ransomware attacks, data breaches, supply chain breaches, and direct control of the breached systems, resulting in escalation and secondary impacts for downstream users, such as power outages or water contamination,” Carney said.

“This is a serious problem that critical infrastructure operators have a responsibility to their customers to solve.”

Read the full advisory, with detailed indicators of compromise and mitigation advice, here.

Leave a Reply

Your email address will not be published. Required fields are marked *