CISA issues advisory on Iranian brokers selling access to critical infrastructure

The advisory contains important guidelines on staying secure

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Iranian hackers are acting as Initial Access Brokers (IAB), selling access to critical infrastructure organizations in the West to the highest bidder.

Ajoint security advisoryrecently published by the US Cybersecurity and Infrastructure Agency (CISA), together with the FBI, NSA, the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ASCS), claims Iranian threat actors are actively engaged in brute force attacks (password spraying,MFApush bombing, and similar).

Since October 2023, these unnamed organizations have been targeting healthcare and public health (HPH) organizations, the government, information technology, engineering, and energy sectors.

CISA recommendations

CISA recommendations

Their goal is to obtainlogin credentials, and to map out the target victim’s infrastructure. They then establish persistence in various ways, including modifying MFA registrations.

This information is then sold on the dark web. “The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity,” the report says.

To defend against these attacks, CISA and friends suggest firms review IT helpdeskpassword managementrelated to initial passwords, password resets for user lockouts, and shared passwords. They should also disable user accounts and access to organizational resources for departing staff, implement phishing-resistant MFA, and continuously review MFA settings.

Furthermore, they should provide their employees basiccybersecurity training, track unsuccessful login attempts, and have users deny MFA requests they did not generate. Finally, they should ensure users with MFA-enabled accounts have appropriately set up MFA, ensure password policies that align with the latest NIST Digital Identity Guidelines, and meet the minimum password strength.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

All of these are considered best cybersecurity practices, CISA concludes, “aimed at meaningfully reducing risks to both critical infrastructure operations and the American people.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

As if Intel didn’t have enough to worry about, Nvidia might be about to jump into the PC processor market