Cybersecurity warning issued over Iranian infrastructure threats
A coalition of global agencies is raising urgent concerns about Iranian cyber threats targeting critical infrastructure, highlighting a dangerous shift toward more aggressive tactics. These warnings come alongside growing apprehension regarding unresolved vulnerabilities across various environments.
Ray Carney, research director at Tenable, notes a critical vulnerability found in Firefox. CVE-2024-9680 remains unresolved in almost 63% of environments and allows attackers to execute code by exploiting a 'use-after-free' in Animation timelines. Despite such technical vulnerabilities, Carney emphasises the human factor in cyber defence, highlighting that convincing employees to divulge credentials poses a significant risk, irrespective of the technical exploits used by attackers. "If an attacker can convince employees to handover their credentials and access codes, it doesn't matter what vulnerabilities they exploit to gain access. The last and second to last line of defence is already out of their way."
Carney also points out the tactic known as 'push bombing', where users are inundated with Multi-Factor Authentication requests, often leading them to approve access out of frustration or error. "This tactic is also referred to as MFA fatigue." He advocates for phishing-resistant MFA to counter such tactics. In its absence, number matching—a system that requires users to input a code from an identity management system—is suggested as an alternative. The consequence of compromised system access can be severe, ranging from ransomware attacks to manipulating critical infrastructure that could result in power outages or water supply contamination. "This is a serious issue that critical infrastructure operators have a responsibility to their customers to resolve."
Gabrielle Hempel, Customer Solutions Engineer at Exabeam, observes a shift in the strategy of Iranian cyber operations, describing them as moving away from a 'low and slow' approach to more overt activities. This change coincides with rising global tensions and suggests that Iran's cyber agenda may be advancing toward a form of cyber warfare rather than purely financially motivated cybercrime.
Hempel highlights the rise of 'Initial Access Brokering' and the growing trend of Ransomware-as-a-Service. This model allows cybercriminals to purchase access to targeted systems, making attacks more accessible and potentially more lucrative. The perceived vulnerability of critical infrastructure makes it an attractive target, as the imperative of consistent operation leads organisations to pay ransoms to avoid prolonged disruptions.
Hempel explained, "If you can just buy the 'keys to the kingdom,' so to speak, why wouldn't you? Critical infrastructure can also be low-hanging fruit as far as the protection they have, which makes them an easy target. The profitability of attacks on critical infrastructure further incentivises attacks, as organisations can't afford downtime, making ransom payments a quick solution to get back up and running."
While brute force attacks are less frequent than phishing and social engineering, Hempel stresses the need for robust password policies and token-based MFA tools to deter such intrusions. Additionally, monitoring unsuccessful login attempts and using User and Entity Behaviour Analytics (UEBA) can aid in detecting unusual activities, especially when attackers attempt to obscure their locations.
The advisory underscores serious concerns over the cyber resilience of critical infrastructure worldwide. The merging of cybercriminal activities with potential state-sponsored cyber warfare tactics poses a significant threat to global security. Organisations entrusted with the operation of essential services face an increasingly complex security landscape and must take proactive measures to safeguard their systems and data from these sophisticated cyber threats.