Iranian hackers are aggressively trying to crack passwords in the health care, government, information technology, energy and engineering sectors, an advisory from U.S., Canadian and Australian cyber agencies said Wednesday.
The “brute force” attacks — which take a variety of forms — date to October of last year, according to the FBI, the Cybersecurity and Infrastructure Security Agency, the National Security Agency, the Communications Security Establishment Canada, Australian Federal Police and the Australian Cyber Security Centre.
While much of the recent attention on Iranian cyberattacks have focused on government-connected hackers targeting the U.S. elections, the purpose of the activity that the advisory highlights seems more criminal in nature.
“The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity,” the agencies wrote.
The tactics include lobbing a variety of common passwords at the targets, trial-and-error password attempts and multifactor authentication (MFA) “push bombing,” which involves “bombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications,” according to the advisory.
The hackers conduct reconnaissance to determine potential victim identities, and then after gaining access, the hackers often register compromised devices with MFA to retain that access. They also then use their access to more deeply penetrate target systems, the agencies warned.
Despite the hackers’ use of MFA push bombing, the agencies recommend that critical infrastructure organizations enable MFA and use strong passwords as a defense against the Iranian hackers.
Although the advisory is mum on whether the Iranian groups are connected to the government there, another U.S. intelligence advisory from August said that Tehran-sponsored hackers have been acting as access brokers for ransomware gangs, highlighting the Iranian connection between government and criminal aims. But the relationship isn’t always simpatico, as a recent ransomware attack on an Iranian IT vendor shows.