Cybersecurity Alert - Ongoing Threats From Iranian Cyber Actors

Ongoing Threats From Iranian Cyber Actors

Impact: All Firms

On Oct. 16, 2024, the Cybersecurity & Infrastructure Security Agency (CISA) released Cybersecurity Advisory - AA24-290A, which provides threat actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Iranian cyber actors. In light of the historical proclivity of Iranian threat actors targeting the financial services industry, FINRA is sharing this information with member firms.

The CISA advisory states:

“Since October 2023, Iranian actors have used brute force, such as password spraying¹ , and multifactor authentication (MFA) ‘push bombing’²  to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access.”

There is currently no information indicating that member firms or the financial services industry are specifically being targeted; nevertheless, we have issued this Alert to inform member firms of certain actions associated with Iranian cyber threat actors and to encourage them to remain vigilant. FINRA reminds member firms that they should report any critical system or business operations disruptions, issues or outages to your Risk Monitoring Analyst.

For questions related to this Alert or other cybersecurity related topics contact the FINRA Cyber and Analytics Unit (CAU). Both the FBI and CISA urge you to promptly report cyber incidents to a local FBI Field Office, the FBI Internet Crime Complaint Center (IC3) at IC3.gov, or CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).

Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some questions may not be relevant due to certain firms’ business models, sizes, or practices.

If you would like to add or change who receives this email, please update your firm’s Chief Information Security Officer (CISO), Chief Compliance Officer (CCO) and/or Chief Risk Officer (CRO) contacts in FINRA Gateway.

¹ Password spraying is a type of brute force attack. In this attack, an attacker will brute force logins based on list of usernames with default passwords on the application. For example, an attacker will use one password (say, Secure@123) against many different accounts on the application to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. https://owasp.org/www-community/attacks/Password_Spraying_Attack
² Push bombing (also known as push fatigue). Cyber threat actors bombard a user with push notifications until they press the “Accept” button, thereby granting threat actor access to the network. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf