FBI, CISA, NSA Warn of Iranian Cyberattacks on Critical Infrastructure
In a significant cybersecurity alert, multiple agencies, including the FBI, CISA, NSA, and international partners, have issued a joint advisory warning of increasing cyber activity targeting critical infrastructure by Iranian cyber actors. The advisory outlines the threat posed by these actors who have been actively using brute force techniques like password spraying and multi-factor authentication (MFA) ‘push bombing’ to compromise organizations across sectors such as healthcare, government, energy, and information technology.
Since October 2023, Iranian actors have escalated their efforts to infiltrate critical infrastructure, with the primary goal of obtaining credentials and detailed information about the victims’ networks. “The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals,” the advisory states.
A particularly concerning aspect of these attacks is the use of MFA fatigue or ‘push bombing’—where legitimate users are bombarded with repeated MFA requests in an attempt to wear them down into inadvertently approving the attacker’s access. Once inside, the attackers typically modify MFA registrations to maintain persistence on the compromised network, making it even harder for defenders to detect the intrusion.
The advisory notes that these actors use a variety of methods to gain access to systems, primarily through valid user credentials obtained via brute force attacks. “The actors use valid user and group email accounts, frequently obtained via brute force such as password spraying,” explains the report. With access secured, the attackers quickly move to register their own devices with MFA, thereby locking out legitimate users and reinforcing their control over the compromised accounts.
In one documented case, attackers leveraged a self-service password reset (SSPR) tool on a public-facing Active Directory Federation Service (ADFS) to reset expired passwords and then registered new MFA devices through Okta for accounts that had not yet been protected.
Once inside the network, the attackers further escalate their attacks by moving laterally through systems using tools like Remote Desktop Protocol (RDP). The advisory specifies how these actors have been known to exploit Citrix systems for external access, using RDP to “open PowerShell to launch the RDP binary mstsc.exe,” thereby gaining broader access to the network.
The attackers also utilize open-source tools such as DomainPasswordSpray.ps1 to conduct password spraying attacks. In multiple instances, they performed “Kerberos Service Principal Name (SPN) enumeration of several service accounts” to obtain Kerberos tickets for additional credentials, further increasing their access to sensitive systems.
Organizations are urged to implement robust cybersecurity defenses, particularly around MFA and password security. The advisory provides several recommendations, including ensuring that all accounts use strong passwords, conducting continuous reviews of MFA settings, and implementing phishing-resistant MFA where possible. Additionally, regular reviews of logs for suspicious login attempts and the use of network-based anomaly detection tools are advised to detect and mitigate brute force and credential access activities.
“The authoring agencies recommend critical infrastructure organizations follow the guidance provided in the Mitigations section. At a minimum, organizations should ensure all accounts use strong passwords and register a second form of authentication,” the advisory concludes.
