Global advisory issued on Iranian cyber threat tactics

A joint Cybersecurity Advisory has been issued by the FBI, CISA, NSA, Canadian CSE, Australian AFP, and ACSC to alert network defenders of Iranian cyber actors using brute force tactics to gain credentials and compromise organisations across multiple sectors.

The advisory addresses threats specifically aimed at critical infrastructure sectors such as healthcare and public health, government, information technology, engineering, and energy. Cyber experts have weighed in on the situation, providing insights and recommendations for mitigating such threats.

Avishai Avivi, Chief Information Security Officer at SafeBreach, highlighted the issue of 'Multifactor Authentication (MFA) Exhaustion' being exploited by malicious actors. He stated, "The CISA alert of Iranian cyber actors' brute force and credential access activity is a good reminder - especially during cybersecurity awareness month - that these malicious actors are working to abuse 'Multifactor Authentication (MFA) Exhaustion.' If, as a good cyber-aware person, you've enabled MFA on your social networking, WhatsApp or other messaging apps, and bank accounts, you may have grown used to getting and approving MFA requests. The malicious actors hope you won't pay attention and approve any MFA push notification you may receive."

"So, as a reminder, when you are prompted to authorise a session, please take a quick second to verify that you are the one who made that request. Malicious actors are constantly testing credentials they've obtained through breaches. They hope combining these credentials and MFA exhaustion will let them take over your account. While the CISA alert specifically mentions critical infrastructure as the target of these malicious actors, this diligence is important to prevent access to your work and personal accounts."

James Winebrenner, Chief Executive Officer of Elisity, elaborated on the use of lateral movement by nation-state actors. "On October 16, 2024, FBI, CISA, NSA, and other global government agencies published an advisory about how Iranian cyber actors recently compromised critical infrastructure organisations using brute force attacks and MFA bombing, then performed network discovery and lateral movement. This is just one more example of a nation-state cyber attack that used lateral movement. Also in 2024, China's Volt Typhoon group compromised IT networks of multiple critical infrastructure organisations in the U.S., using lateral movement to access operational technology assets for potential disruptive attacks. North Korean hackers targeted aerospace and defense organisations with a new ransomware variant called FakePenny, using lateral movement for intelligence gathering."

Winebrenner suggested the implementation of a modern identity-based micro-segmentation platform as a preventive measure against such breaches. He said, "A modern identity-based microsegmentation platform would detect and prevent such unauthorised lateral movement attempts, preventing attackers from accessing sensitive systems even if initial credentials are compromised. CISOs and security architects want to look for a platform that provides comprehensive asset discovery and visibility and enables identity-based policies that enforce least-privilege access across users, devices, and applications, significantly reducing the attack surface and stopping threat actors from moving laterally within the network."

Ryan Patrick, Vice President of Adoption at HITRUST, acknowledged the increasing threat posed by these cyber actors, especially in sectors such as healthcare. He stated, "In response to the recent joint advisory issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and their international counterparts, HITRUST acknowledges the escalating threat posed by Iranian cyber actors who are actively targeting critical infrastructure sectors, including healthcare and public health (HPH)."

Patrick stressed the importance of integrating threat intelligence into cybersecurity strategies to better safeguard sensitive data. "We recognise the critical importance of safeguarding sensitive data and systems in these highly targeted industries. The advisory highlights the need for organisations across healthcare, government, energy, and information technology to reinforce their defenses against advanced tactics, including brute force credential attacks. Cybercriminals are increasingly sophisticated in their efforts to exploit vulnerabilities and sell access to compromised networks, putting critical infrastructure at risk."

"A key aspect of preventing these attacks lies in integrating threat intelligence into cybersecurity strategies. HITRUST emphasises that assessments and controls informed by up-to-date threat intelligence are crucial in identifying and mitigating emerging risks. By embedding intelligence-driven controls into their operational security, organisations can proactively defend against evolving tactics used by cybercriminals, including brute force attacks. This continuous monitoring and refinement process allows for stronger protection of sensitive data and critical infrastructure."

HITRUST advocates for organisations, particularly in the healthcare and public health sectors, to evaluate and enhance their cybersecurity measures. Patrick concluded, "We encourage all organisations, especially those in the healthcare and public health sectors, to review the joint cybersecurity advisory and ensure that appropriate safeguards are in place, including the use of strong authentication methods, continuous monitoring, and proactive threat intelligence. HITRUST will continue to support these efforts by delivering the tools and resources necessary to meet the highest standards of information protection and compliance."