NSA, FBI release an advisory to take down on Iranian threat actors

The National Security Agency (NSA) have come together with the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA), to release a joint Cybersecurity Advisory to warn network defenders of malicious activity that can enable persistent access in sensitive systems. Since October 2023, Iranian cyber actors have used a technique known as brute force to compromise user accounts and obtain access to organizations to modify MFA registrations, enabling persistent access.

Once they have the access, the Iranian actors obtain additional credentials and sell the information to users on cybercriminal forums who conduct further malicious activities. The Iranian actors have on their target list multiple critical infrastructure sectors, including healthcare, government, information technology, engineering, and energy. 

“Our agencies are sharing detailed insight into this malicious cyber activity and what organizations can do to shore up their defenses,” said Dave Luber, NSA Cybersecurity Director. “We explain the tactics, techniques, and procedures used by the Iranian actors, as well as indicators of compromise.” 

To detect brute force activity such as password spraying, the report’s authors recommend reviewing authentication logs for system and application login failures of valid accounts and looking for multiple, failed authentication attempts across all the accounts. 

To mitigate against this activity, the CSA recommends measures such as implementing phishing-resistant multi factor authentication (MFA), continuously reviewing MFA settings, providing cybersecurity training to users, and ensuring password policies meet minimum password strength guidelines.

The other authoring agencies are the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC).