Iranian cybercriminals are using brute force to gain access to organizations across multiple critical infrastructure sectors, global cyber officials said in a Wednesday joint cybersecurity advisory.

The FBI, the Cybersecurity Infrastructure Security Agency, the National Security Agency and partner agencies in Canada and Australia warned network defenders that Iranian attackers have targeted organizations in the healthcare, government, IT, engineering and energy sectors since October 2023.

Brute force techniques observed during these attacks include password spraying and multifactor authentication push bombing. The Iranian threat actors use compromised access to valid user and group email accounts for initial access to Microsoft 365, Azure and Citrix systems, officials said.

The international joint advisory comes a little more than a month after the FBI and CISA issued a joint warning about Iran collaborating with criminal ransomware groups to attack key industries in the U.S. and other countries.

The threat actors frequently modified MFA registrations to enable persistent access and then search the compromised networks to steal additional credentials or identify other potential points of access, officials said in the advisory.

U.S., Canadian and Australian cyber authorities said the Iranian actors sell these credentials and other information on cybercriminal forums for additional malicious activity.

In two confirmed attacks, officials said the Iranian threat actors used a compromised user’s open registration for MFA to register their own device.

“In another confirmed compromise, the actors used a self-service password reset tool associated with a public facing Active Directory Federation Service to reset the accounts with expired passwords and then registered MFA through Okta for compromised accounts without MFA already enabled,” officials said in the advisory.

Authorities said the malicious activity is often conducted via a VPN paired with the use of remote desktop protocol for lateral movement.