Iranian hackers are targeting critical infrastructure organizations to steal credentials and network data, which they later sell to enable other threat actors to launch cyberattacks. Government agencies across the U.S., Canada, and Australia warn that these hackers operate as initial access brokers, using brute-force attacks and other sophisticated techniques to infiltrate high-value sectors like healthcare, energy, information technology, and government institutions.

 Methods of Initial Access  

A joint cybersecurity advisory published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) details the tactics, techniques, and procedures (TTPs) employed by these threat actors. Brute force and password spraying are common entry points, where hackers systematically try commonly used passwords to breach accounts. They also deploy MFA push bombing—overwhelming users with repetitive multi-factor authentication (MFA) requests until the victim approves access, often out of frustration.  

The hackers prioritize persistent access to targeted networks. Once inside, they escalate privileges by collecting additional credentials and exploring the compromised system. Their reconnaissance allows them to move laterally across networks, uncovering other points of access and weak links.  

 Targeted Platforms and Techniques  

The advisory highlights attacks against Microsoft 365, Azure, and Citrix environments. In some cases, hackers leveraged compromised user accounts to register their own devices within the organization’s MFA system. In other confirmed breaches, hackers exploited self-service password reset (SSPR) tools tied to public-facing Active Directory Federation Services (ADFS), gaining control of expired accounts and enrolling their own MFA credentials through Okta.  

Moving through the network often involves Remote Desktop Protocol (RDP) sessions. Hackers deploy PowerShell scripts through tools like Microsoft Word, giving them further control. It remains unclear how additional credentials are harvested, but it is believed that open-source tools are used to steal Kerberos tickets and retrieve Active Directory account information.  

To elevate privileges, the attackers may attempt to impersonate the domain controller by exploiting vulnerabilities such as Microsoft’s Netlogon (CVE-2020-1472), also known as the Zerologon vulnerability. This privilege escalation gives them access to domain controllers, enterprise admin accounts, and the entire network’s architecture.  

 Known Threat Actor Identified: Br0k3r  

The report also identifies an Iranian-aligned threat actor known as Br0k3r—active in cybercriminal communities under the aliases Pioneer Kitten, Fox Kitten, Parisite, RUBIDIUM, and Lemon Sandstorm. Br0k3r has been linked to ransomware affiliates, offering domain control privileges and admin credentials for sale. These actors collaborate with ransomware operators, earning a share of ransom payments from compromised organizations, including healthcare facilities, municipal governments, and financial institutions.  

 Detecting and Responding to Threats  

The advisory recommends that organizations monitor their authentication logs closely for signs of brute-force attempts and failed logins. It advises looking for patterns such as:  

• Multiple failed login attempts on valid accounts  
• Impossible logins (e.g., logins from two geographically distant locations within a short period)  
• Repeated login attempts from the same IP across multiple accounts  
• MFA registrations from unexpected locations or unknown devices  

The cybersecurity teams should monitor command-line arguments for credential dumping activities—such as attempts to access the ntds.dit file from domain controllers. Other red flags include unauthorized password resets through SSPR tools and abnormal activity in typically dormant accounts.  

Recommended Mitigations

The advisory provides the following specific mitigations to combat the tactics and vulnerabilities exploited by these Iranian hackers:

1. Strengthen Password Security:
   • Implement password policies that block weak and reused passwords.
   • Enforce account lockout policies after a predefined number of failed attempts to deter password spraying.
2. Harden MFA Systems:
   • Limit the number of MFA requests a user can receive within a specific timeframe to prevent MFA push bombing.
   • Deploy number-matching or biometric-based MFA solutions to reduce the likelihood of accidental approvals.
3. Monitor for Suspicious Account Activity:
   • Review logs for MFA registrations from unfamiliar devices and regions.
   • Track authentication attempts from new IPs or unusual geolocations that don’t match typical user behavior.
4. Secure Self-Service Password Reset Tools (SSPR):
   • Disable SSPR for privileged accounts and apply stricter security checks, such as CAPTCHA or additional MFA steps.
   • Monitor Active Directory Federation Services (ADFS) for abnormal password reset activity.
5. Limit and Monitor Remote Desktop Protocol (RDP) Usage:
   • Restrict RDP access to authorized IPs and implement network segmentation to minimize lateral movement.
   • Use RDP gateways and enforce multi-factor authentication for all remote access attempts.
6. Patch Critical Vulnerabilities Promptly:
   • Apply patches for the Netlogon vulnerability (CVE-2020-1472) and other known exploits affecting domain controllers.
   • Conduct regular vulnerability scans to identify and patch unaddressed issues.
7. Implement Endpoint Detection and Response (EDR) Solutions:
   • Deploy EDR tools to detect and block PowerShell abuse and unusual command-line activities.
   • Monitor for attempts to access or copy the ntds.dit file, which contains Active Directory credentials.
8. Conduct Threat Hunting and Incident Response Drills:
   • Regularly audit privileged accounts and review domain controller activity for signs of escalation.
   • Perform tabletop exercises to ensure the incident response team is prepared for intrusion attempts.
9. Restrict Open-Source Tool Use in the Environment:
   • Limit access to tools capable of Kerberos ticket manipulation or Active Directory exploitation.
   • Monitor for unauthorized installations of hacking tools and terminate suspicious processes immediately.

To further protect against these attacks, organizations should regularly patch vulnerabilities such as Netlogon and monitor for Indicators of Compromise (IOC)—including suspicious IP addresses, malicious file hashes, and unauthorized device registrations.

To Sum Up

With Iranian hackers expanding their operations as initial access brokers, critical infrastructure sectors must remain vigilant. Their use of MFA push bombing, RDP exploitation, and credential theft presents an ongoing threat. By staying aware of these tactics and implementing proactive measures, organizations can safeguard against intrusions and prevent future cyberattacks. Enhanced monitoring, timely patching, and strict access controls are essential defenses in an evolving cybersecurity landscape.