Brute force attacks are currently on the rise and constantly evolving. The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and more, released an advisory on October 16, 2024, warning several large organizations and most especially critical infrastructure sectors on the ongoing brute force attacks being carried out by some Iranian cyber actors to either gain persistent access into organizational networks or sell the compromised data on criminal websites for other cybercriminals to exploit.
The bad actors used several brute force methods, with two of the most popular techniques being password spraying and MFA push bombing. In this advisory, we are given insights into the Techniques, Tactics, and Procedures (TTPs) discovered by the FBI from victims of the attack for a better understanding and to enhance the measures for safeguarding our data.
Knowing how attacks work, the attacker has to study their target for a more successful outcome, hence, it is assumed that they likely conduct some reconnaissance to gain more understanding and gather useful information to aid in their goals. Once these bad actors gain access to organizational systems, they proceed further in an attempt to gain further information by moving laterally through the network and downloading information that could assist them further.
Password spraying is the most common method used to gain unauthorized access as well as other unknown methods that have not been disclosed. This grants them access to Microsoft 365, Azure, and Citrix systems. The interesting fact about this attack is the exploitation of MFA. Although MFA is widely considered globally as an extra layer of security, it is not impenetrable. It is known to the attackers that a large number of accounts out there will have MFA set up, making this a target for them. The particular mode of MFA being targeted is the push notification method, where the only action required from the user is the acceptance of the request. If the attackers are able to gain access to a victim’s account through password spraying, they overwhelm the user with multiple MFA requests hoping the victim accidentally clicks on it due to frustration or fatigue.
The FBI confirmed two cases where this was successful, and the attackers proceeded to register their own devices for MFA on the users’ accounts. In another case, the bad actors used a password reset tool to reset already-expired passwords and then registered MFA for those accounts without MFA enabled by utilizing Okta. It was also discovered that the majority of these attacks were conducted while using a VPN service for anonymity. There are a wealth of open-source tools that make these exploits easier for the bad actors. These tools help them gather more information to maintain their persistence in the organizational networks.
To detect and mitigate these attacks, organizations are advised to monitor their logs for suspicious activity such as cases of one IP address being used for multiple login attempts, impossible travel (i.e. a user connects from multiple IP addresses with significantly varying distances), MFA registrations from unexpected locations, suspicious use on accounts with privilege, and any alarming activity on accounts that are typically dormant.
In addition to having proper measures in place for detecting malicious activity, it is also recommended to have mitigating measures in place to address the concerns, such as ensuring there are strong password management policies in place, proper provisioning and de-provisioning of users upon hire and termination or department change, continuous reviews of MFA settings as well as implementing phishing-resistant MFA such as authentication via a mobile app. MFA push notifications are highly discouraged as they are easily exploitable by these attackers. Finally, the most important mitigation factor is security awareness training because if an organization is lacking in this aspect, all the controls implemented would be rendered irrelevant. It is important for employees to be educated on these attacks, how to potentially identify them, as well as actions to be taken when identified.
References
Boynton, Sean. “Iranian Hackers Target Critical Sectors with ‘brute Force,’ U.S., Canada Say – National.” Global News, Global News, 16 Oct. 2024, globalnews.ca/news/10814131/cybersecurity-iran-brute-force-canada-us/.
FBI, et al. “Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations.” Cybersecurity and Infrastructure Security Agency CISA, 16 Oct. 2024, www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a.
Özeren, Sıla. “Iranian Cyber Actors’ Brute Force and Credential Access Attacks: CISA Alert AA24-290A.” THE COMPLETE SECURITY VALIDATION PLATFORM, Picus Security, 18 Oct. 2024, www.picussecurity.com/resource/blog/cisa-alert-aa24-290a-iranian-cyber-actors-brute-force-and-credential-access-attacks.
Great post, Faizah! This is the first time I have heard about MFA push bombing and I found it very interesting! In the previous course, I wrote a blog post about how receiving MFA codes by SMS is vulnerable to a SIM swapping attack: https://wpsites.ucalgary.ca/jacobson-cpsc/2024/09/25/an-attack-on-two-factor-authentication/. I recommended using an authenticator app instead but it seems like even this method is prone to exploitation, depending on the implementation by the app developer. Many of the authenticator apps I use for work and my other accounts just use push notifications for authentication so they are potentially vulnerable. Hopefully the app developers will adapt to this new attack soon and I will make sure to be wary if I start receiving dozens of push notifications from my MFA apps.
MFA bombardment is a real issue, which is why Microsoft and other leading identity providers have implemented random number verification in their MFA solutions. It’s great to see them addressing this, though it seems like an obvious step they should have taken from the beginning. What do you think?
Yes, I definitely agree. However, using an authenticator app that requires a one-time code from the user might be a safer option to address the potential risks. The gold standard of MFA would be a type that is phishing-resistant. See here: https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
Nice work, Faizah! This is alarming , considering MFA adds the essential layer to secure authentication which may not be as impermeable as we tend to believe and attackers seems to have been able to find a way to penetrate this additional layer of security with ease. What concerns me more , is that folks may click on the push notification out of “frustration or fatigue”. Any employee in their senses should always be checking what is going on if they are not actively trying to log into their system. I acknowledge mistakes can happen, but in most successful penetration cases, human factor has always stood out.
I definitely agree which is why I am an advocate for security awareness training. All it takes most times is for an employee that is not informed to click on a suspicious link or in this case, accept an MFA push request.
Hi Faizah, great post. It very interesting to see just how many state actors are now targeting us using cyber attacks. I feel like its now becoming a common part of everyday life to expect these attacks. The biggest issue I see with this is that all parties have basically agreed to not escalate. It feels like as long as its a cyber attack the targeted country just condemns it and then launches their own cyber attacks. It feels like most countries do not want to be the one to escalate to any physical conflict. My issue with this is that theses state actors just keep escalating and target more and more crucial infrastructure and I am not sure the target will ever respond more than just doing the same.
Definitely. These attackers are always evolving and it makes me worry about the future of cybersecurity. I saw a recent incident where some Chinese researchers broke the RSA encryption with a quantum computer. Although it had always been a speculation, it is crazy to see that it is now happening and this is worrisome for the future of data security.
I completely get what you’re saying, Faizah. It’s really unsettling how these attackers are always finding new ways to evolve. While it’s one thing to talk about the potential of quantum computing, seeing it happen for real is definitely concerning for our data security. Thanks for sharing such an insightful post!
I completely agree with you Abdul, about the cycle of cyberattacks and how countries seem reluctant to escalate things. It’s really concerning that these state actors are targeting critical infrastructure without facing serious consequences.
Hi Faizah, a very informative post you have here. You are correct about the importance of security awareness training. Technology alone is not enough to counter such sophisticated attacks. Employees have to be able to identify phishing scams as well as unwarranted MFA prompts so as not to be duped into tactics such as push bombing. Thank you for highlighting these real-life cyber issues!
Thanks to bring this up.
With the aid of computing power, brute force is becoming simpler and it shows the importance of various security measures. Push MFA fatigue error can be avoided by using MFA with code input like Microsoft authenticator. PAM can be deployed to solve password issues, at least organization need to incorporate strong password policy with account lockout for suspicious attempts and velocity check. Proper network segmentation can significantly reduce lateral movement.
Fantastic work, Faizah! Your study offers a thorough examination of the changing field of brute force assaults, with a special emphasis on MFA push bombing and password spraying. It successfully draws attention to how serious these threats are, particularly in view of the most recent FBI and CISA advice. Although MFA is widely regarded as a strong security feature, your work correctly highlights some of its possible drawbacks, particularly when it comes to push notification implementations. This emphasises how crucial it is to use phishing-resistant MFA techniques.