Since October 2023, Iranian cyber threat actors have ramped up attacks on critical infrastructure organizations, gaining unauthorized access and selling stolen credentials and network data on cybercrime forums, according to a joint advisory authored by security agencies from the US, Canada, and Australia.

The advisory details how Iranian hackers, acting as initial access brokers, use brute-force tactics, including password spraying and multifactor authentication (MFA) "push bombing," to breach networks and collect valuable data. Push bombing is a method where attackers repeatedly send MFA requests to users, overwhelming them with notifications until they either approve one by accident or out of frustration, allowing the attackers access.

Once inside, the attackers leverage their access to perform detailed reconnaissance on compromised networks, collecting additional credentials and identifying vulnerable points that can be exploited later.

They have been observed targeting platforms like Microsoft 365, Azure, and Citrix, with some intrusions involving the modification of MFA registrations to maintain persistent access to these systems.

One of the techniques used by the attackers includes Kerberos Service Principal Name (SPN) enumeration, which provides the means to gather service account information. In some cases, threat actors employed open-source tools like DomainPasswordSpray.ps1 from GitHub for password spraying attacks and used Microsoft Graph API via PowerShell to dump Active Directory accounts.

The attackers also utilize "living off the land" (LOTL) techniques, leveraging built-in network tools to avoid detection. This allows the attackers to blend in with normal system activity while they exfiltrate data or escalate privileges. In one instance, the intruders attempted to impersonate a domain controller by exploiting the Netlogon vulnerability (CVE-2020-1472), commonly known as "Zerologon."

According to the advisory, after breaching an organization’s defenses, Iranian hackers frequently download sensitive files related to the organization’s remote access systems or inventory, potentially for selling the data on dark web forums. The stolen credentials are believed to be sold to other cybercriminals, who can then launch their own attacks on compromised organizations.