Iranian cyber actors have been using brute force attacks such as password spraying since October 2023 to access critical infrastructure networks, according to a joint cybersecurity advisory from U.S., Canadian and Australian government agencies.
The advisory authors, including the U.S. National Security Agency, Communications Security Establishment Canada and the Australian Federal Police, warned that the cyber actors modify the multifactor authentication of sensitive systems to maintain access to the networks of healthcare, government, IT, engineering, energy and other critical infrastructure sectors.
According to the document, having persistent access allows the hackers to steal additional credentials and other data and sell them to cybercriminals in online forums.
To detect and mitigate brute force activity, the advisory recommends:
- reviewing authentication logs, application login failures and MFA settings;
- implementing phishing-resistant MFA;
- providing cybersecurity training to users; and
- ensuring password policies meet minimum password strength guidelines.
In February, American and British agencies warned against similar malicious activities by a Russian threat group to infiltrate cloud environments. According to that joint advisory, the group is likely associated with the Russian foreign intelligence service. The document indicated that the cyber actors use automated system accounts and inactive accounts with weak cybersecurity as entry point into cloud-based systems.