Iranian Cyber Actors Target Critical Infrastructure with Credential Theft Campaigns

Iranian cyber actors have been targeting organizations across multiple critical infrastructure sectors, including healthcare, government, technology, engineering, and energy, since at least October 2023, according to a joint report by CISA, the FBI, and other government agencies. The primary objective of these attacks is to steal credentials and information describing the victim's network, which is then sold to enable access to cybercriminals. The attackers rely on brute-force tactics such as password spraying and multifactor authentication (MFA) push bombing, overwhelming users with MFA requests until access is granted. According to CISA, “The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals.”

Initial access is often gained through brute-force attacks on services like Microsoft 365, Azure, Citrix, Okta, and Active Directory Federation Services (ADFS). The attackers exploit vulnerabilities in these services to gain unauthorized access and, in some cases, reset expired passwords using Self-Service Password Reset (SSPR) tools. Once access is obtained, they frequently register their own MFA devices to maintain persistent access. They often hide their activity using VPN services, making it crucial for organizations to monitor for signs of "impossible travel" and unexpected MFA registrations.

For lateral movement, attackers use Remote Desktop Protocol (RDP) and Microsoft’s terminal services (MSTSC), which are often launched via PowerShell scripts or triggered through Microsoft Word macros to avoid detection. They also perform Kerberos Service Principal Name (SPN) enumeration to steal credentials and escalate privileges. Notably, they have exploited the "Zerologon" vulnerability (CVE-2020-1472) to gain control over domain controllers, allowing them to spread through networks and access sensitive data. By using tools like DomainPasswordSpray.ps1, the actors execute password-spraying attacks across Active Directory environments, leveraging native Windows commands (nltest, net) to query domain controllers, list trusted domains, and identify key accounts such as domain admins and enterprise admins.

Command-and-control (C2) infrastructure in these attacks often uses Cobalt Strike beacons, with outbound traffic masked through legitimate executables like msedge.exe. Data exfiltration is performed by downloading sensitive information from compromised user accounts, with the stolen data likely being sold to other malicious actors. To defend against these attacks, government agencies recommend enforcing strong password policies, implementing phishing-resistant MFA, and continuously reviewing MFA configurations to cover all internet-facing services. Monitoring for unusual login behaviors, such as impossible travel or suspicious account activity, is essential for early detection. Additionally, disabling outdated Kerberos authentication methods and adhering to CISA's Cross-Sector Cybersecurity Performance Goals can help strengthen organizational defenses.