Intelligence agencies: ‘Be aware of brute force attacks and push bombing’

The FBI, the NSA, the Cybersecurity and Infrastructure Security Agency (CISA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) are warning businesses and organizations that work in the critical infrastructure to be cautious for brute force attacks and so-called ‘push bombing’ attacks.
In a joint cybersecurity advisory they say that Iranian cyber actors are focusing on obtaining login credentials and information on their victims’ networks. They gather this data to sell it to cybercriminals and provide them access to vulnerable corporate networks.
“Since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations,” the intelligence agencies from the United States, Canada and Australia state. Once in, they use this access for lateral movement, privilege escalation and data exfiltration.
In a brute force attack, hackers use specialized software to enter an unlimited number of usernames and password combinations until a match is found. This data is often obtained through previous data leaks at companies and organizations, or is simply purchased on the dark web.
Password spraying is when a hacker tries to take over an account by entering frequently used passwords. To avoid being caught, he tries the same password on multiple accounts. If it turns out that this password does not work on any account, the attacker moves on to a second password. If this one doesn’t work either, a third password follows, and so on, until there’s a match. By doing this, the attacker prevents an account from being blocked and he doesn’t get noticed.
‘Push bombing’ is also known as ‘MFA fatigue’. In this scenario, an attacker has the target’s login credentials at his disposal, but not his multi-factor authentication code to successfully complete the login procedure. To obtain this access code, hackers keep on sending login requests to their victim, until he’s fed up with these login attempts and approves one of them. The attackers not only have access to their victim’s account, but also register their own devices with MFA to enable persistent access.
According to the intelligence agencies there are several cases in which hackers successfully compromised businesses and organizations that are active in the critical infrastructure.
That’s why the authorities provide several recommendations to prevent and detect cyberattacks on their corporate network, such as password resets for user lockouts and shared accounts, disabling user accounts and access for departing staff members, providing basic cybersecurity training to employees, and implementing password policies to avoid creating security gaps.
Your email address will not be published. Required fields are marked