CISA issues advisory on Iranian brokers selling access to critical infrastructure

Iranian hackers are acting as Initial Access Brokers (IAB), selling access to critical infrastructure organizations in the West to the highest bidder.

A joint security advisory recently published by the US Cybersecurity and Infrastructure Agency (CISA), together with the FBI, NSA, the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ASCS), claims Iranian threat actors are actively engaged in brute force attacks (password spraying, MFA push bombing, and similar).

Since October 2023, these unnamed organizations have been targeting healthcare and public health (HPH) organizations, the government, information technology, engineering, and energy sectors.

CISA recommendations

Their goal is to obtain login credentials, and to map out the target victim’s infrastructure. They then establish persistence in various ways, including modifying MFA registrations.

This information is then sold on the dark web. “The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity,” the report says.

To defend against these attacks, CISA and friends suggest firms review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared passwords. They should also disable user accounts and access to organizational resources for departing staff, implement phishing-resistant MFA, and continuously review MFA settings.

Furthermore, they should provide their employees basic cybersecurity training, track unsuccessful login attempts, and have users deny MFA requests they did not generate. Finally, they should ensure users with MFA-enabled accounts have appropriately set up MFA, ensure password policies that align with the latest NIST Digital Identity Guidelines, and meet the minimum password strength.

All of these are considered best cybersecurity practices, CISA concludes, “aimed at meaningfully reducing risks to both critical infrastructure operations and the American people.”