Iranian Hackers Using 2FA Bypass, IP Camera Flaws
Iranian state-sponsored actors are reportedly using phishing campaigns that can bypass 2FA, potentially burning iOS zero-days amid current geopolitical tensions. The same threat actors are also exploiting authentication and command injection flaws in IP cameras, using them as pivot points for lateral movement within target networks.
The threat actor APT42, also known as Mint Sandstorm and linked to Iran's Islamic Revolutionary Guard Corps (IRGC), is a key group behind these campaigns. Their phishing operations frequently target high-value individuals in the U.S. and Israel, including government officials, journalists, and those working in defense and foreign policy. To bypass multi-factor authentication, these actors employ Adversary-in-the-Middle (AiTM) phishing kits that capture credentials and session cookies in real-time. Another common tactic is "MFA fatigue," where attackers repeatedly send push notifications to a user's device, hoping the target will eventually accept one by accident to stop the alerts. The IP camera campaign specifically targets devices from manufacturers Hikvision and Dahua. Vulnerabilities being actively exploited include CVE-2017-7921 (an improper authentication flaw) and CVE-2021-33044 (an authentication bypass), among several command injection flaws. This digital reconnaissance is directly tied to kinetic military action, providing intelligence for targeting and assessing battle damage. A similar pattern of compromising cameras to monitor missile strike impacts was observed during the Israel-Iran conflict in June 2025. For detection engineering within the DoD Zero Trust framework, Splunk can identify these identity-based attacks. A specific analytic can be built to monitor Azure AD logs for 'UserLoggedIn' operations, flagging any user session that is concurrently active from more than one IP address, a strong indicator of an AiTM attack. To detect lateral movement from a compromised camera, Splunk rules should monitor for anomalous traffic originating from IoT network segments. Correlating this with Splunk User Behavior Analytics (UBA) can identify when a user account subsequently behaves abnormally, suggesting the pivot from the compromised device to a user identity has occurred. These detection methods directly support the User and Device pillars of the DoD Zero Trust model. By continuously monitoring identity behaviors and device communications against a baseline, Splunk can provide the necessary visibility and analytics to enforce least-privilege access and verify every request, aligning with core Zero Trust principles.
