Iranian Hackers Sell Access to Compromised Networks

Researchers have warned that Iranian threat actors are breaching critical infrastructure organizations to collect credentials and network information, which they then sell to other criminals on hacker forums. Authorities in the United States, Canada, and Australia have reported that Iranian hackers are increasingly acting as access brokers. According to officials, these criminals use brute-force attacks to gain access to organizations in sectors such as healthcare and public health, government, information technology, engineering, and energy.

“Since October 2023, Iranian actors have been using brute-force methods, such as password spraying and push-bombing attacks against multi-factor authentication (MFA), to compromise user accounts and gain access to organizations,” a joint report states.

After the initial breach, the attackers aim to establish persistent access to the target network, often using brute-force techniques again. They then collect additional credentials, escalate privileges, and explore compromised systems and networks, allowing them to move laterally and identify further points of access and exploitation.

Remote Desktop Protocol (RDP) is commonly used for lateral movement within the network. Sometimes, hackers deploy necessary binaries using PowerShell and Microsoft Word. It is believed that open-source tools are used to collect additional credentials, such as those for stealing Kerberos tickets.

To escalate privileges, hackers attempt to impersonate a domain controller, “likely by exploiting the CVE-2020-1472 vulnerability in Microsoft Netlogon (also known as Zerologon),” according to experts.

Authorities have not disclosed all the methods used in these attacks but report that, in some cases, hackers have used password spraying to access existing user and group accounts. Another mentioned technique is push-bombing, where attackers flood the target’s mobile device with MFA requests to exhaust the user until they approve a login attempt—either accidentally or to stop the notifications.

It is also noted that Iranian hackers have used previously unknown techniques to gain access to Microsoft 365, Azure, and Citrix environments. After gaining access to an account, attackers typically try to register their own devices in the organization’s MFA system.