Iranian Hackers Act as Brokers Selling Critical Infrastructure Access
Summary:
Iranian hackers are increasingly breaching critical infrastructure organizations to steal credentials and network data, which they sell on cybercriminal forums, enabling further cyberattacks by other threat actors. According to U.S., Canadian, and Australian government agencies, these hackers are acting as initial access brokers, using techniques like brute-force attacks and MFA "push bombing" to compromise sectors such as healthcare, public health, government, information technology, engineering, and energy. The advisory, co-authored by CISA, the FBI, NSA, and their counterparts in Canada and Australia, details the methods used by Iranian actors since October 2023. The attackers often begin by brute-forcing access to user accounts, then escalate their privileges and maintain persistence in the compromised network. Once inside, the hackers collect additional credentials, move laterally through the network, and look for other exploitation points, using open-source tools to steal Kerberos tickets or Active Directory credentials.
One notable technique is MFA fatigue or push bombing, where hackers flood a target's mobile device with access requests until the user approves, often out of frustration or by mistake. After gaining access, they typically register their own devices to the organization's MFA system, enabling them to maintain access. In one confirmed attack, the hackers used a compromised account to register their own devices through the MFA system. In another, they exploited a self-service password reset tool linked to Active Directory Federation Services to reset expired passwords, followed by registering for MFA on compromised accounts that lacked MFA protections
The Iranian hackers then use tools like PowerShell, often opened through Microsoft Word, and protocols such as Remote Desktop Protocol to navigate the network. They also leverage known vulnerabilities like Microsoft’s Netlogon vulnerability CVE-2020-1472, also known as Zerologon, to impersonate domain controllers, allowing them to elevate privileges within the system. To evade detection, the attackers rely on living-off-the-land techniques, using tools and processes already available within the compromised environment to gather information about domain controllers, trusted domains, administrators, and other network resources. This stealthy behavior makes detection more challenging, but organizations are advised to look for unusual behaviors, such as repeated failed logins (brute-force attempts), abnormal MFA registrations, and geographic anomalies in login locations (impossible logins).
Security Officer Comments:
In a related case from August, a U.S. government advisory warned about an Iranian-based hacker known as "Br0k3r" (also called Pioneer Kitten, Fox Kitten, UNC757, Parisite, and Lemon Sandstorm) who sold full domain access and domain admin credentials to various organizations. Br0k3r worked with ransomware affiliates, receiving a share of the ransom payments, and targeted organizations such as schools, municipal governments, financial institutions, and healthcare facilities.
Suggested Corrections:
To detect these attacks, the joint advisory recommends that organizations review logs for signs of failed logins across multiple accounts, search for unusual MFA registrations, and watch for suspicious privileged account activity. The advisory also urges companies to monitor for unusual behavior in dormant accounts, check for signs of credential dumping, and scan for suspicious user agent strings, which may indicate bot activity. The advisory includes a detailed list of indicators of compromise, such as malicious file hashes, IP addresses, and devices used in the attacks, to help organizations strengthen their defenses. The government agencies also recommend adopting stronger security measures, such as enabling multifactor authentication across all accounts, implementing stronger password policies, monitoring network traffic for unusual patterns, and patching known vulnerabilities.
Link(s):
https://www.bleepingcomputer.com/ne...okers-selling-critical-infrastructure-access/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a
Iranian hackers are increasingly breaching critical infrastructure organizations to steal credentials and network data, which they sell on cybercriminal forums, enabling further cyberattacks by other threat actors. According to U.S., Canadian, and Australian government agencies, these hackers are acting as initial access brokers, using techniques like brute-force attacks and MFA "push bombing" to compromise sectors such as healthcare, public health, government, information technology, engineering, and energy. The advisory, co-authored by CISA, the FBI, NSA, and their counterparts in Canada and Australia, details the methods used by Iranian actors since October 2023. The attackers often begin by brute-forcing access to user accounts, then escalate their privileges and maintain persistence in the compromised network. Once inside, the hackers collect additional credentials, move laterally through the network, and look for other exploitation points, using open-source tools to steal Kerberos tickets or Active Directory credentials.
One notable technique is MFA fatigue or push bombing, where hackers flood a target's mobile device with access requests until the user approves, often out of frustration or by mistake. After gaining access, they typically register their own devices to the organization's MFA system, enabling them to maintain access. In one confirmed attack, the hackers used a compromised account to register their own devices through the MFA system. In another, they exploited a self-service password reset tool linked to Active Directory Federation Services to reset expired passwords, followed by registering for MFA on compromised accounts that lacked MFA protections
The Iranian hackers then use tools like PowerShell, often opened through Microsoft Word, and protocols such as Remote Desktop Protocol to navigate the network. They also leverage known vulnerabilities like Microsoft’s Netlogon vulnerability CVE-2020-1472, also known as Zerologon, to impersonate domain controllers, allowing them to elevate privileges within the system. To evade detection, the attackers rely on living-off-the-land techniques, using tools and processes already available within the compromised environment to gather information about domain controllers, trusted domains, administrators, and other network resources. This stealthy behavior makes detection more challenging, but organizations are advised to look for unusual behaviors, such as repeated failed logins (brute-force attempts), abnormal MFA registrations, and geographic anomalies in login locations (impossible logins).
Security Officer Comments:
In a related case from August, a U.S. government advisory warned about an Iranian-based hacker known as "Br0k3r" (also called Pioneer Kitten, Fox Kitten, UNC757, Parisite, and Lemon Sandstorm) who sold full domain access and domain admin credentials to various organizations. Br0k3r worked with ransomware affiliates, receiving a share of the ransom payments, and targeted organizations such as schools, municipal governments, financial institutions, and healthcare facilities.
Suggested Corrections:
To detect these attacks, the joint advisory recommends that organizations review logs for signs of failed logins across multiple accounts, search for unusual MFA registrations, and watch for suspicious privileged account activity. The advisory also urges companies to monitor for unusual behavior in dormant accounts, check for signs of credential dumping, and scan for suspicious user agent strings, which may indicate bot activity. The advisory includes a detailed list of indicators of compromise, such as malicious file hashes, IP addresses, and devices used in the attacks, to help organizations strengthen their defenses. The government agencies also recommend adopting stronger security measures, such as enabling multifactor authentication across all accounts, implementing stronger password policies, monitoring network traffic for unusual patterns, and patching known vulnerabilities.
Link(s):
https://www.bleepingcomputer.com/ne...okers-selling-critical-infrastructure-access/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a