Author:
Kaustubh Jagtap, Product Marketing Director, SafeBreach
On October 16th, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued an urgent advisory warning security teams about the use of Brute Force and other techniques by Iranian threat actors to compromise critical infrastructure entities. Detailed information about this threat and the associated IOCs and TTPs can be seen on Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations.
This blog will share an overview of the threat and our coverage for these threat actors. As a SafeBreach customer, you will have access to all the attacks listed below and more to validate your organizational security controls against these state-sponsored threat actors.
According to the advisory, Iranian threat actors have been observed consistently leveraging brute force techniques to obtain credentials and information about victim networks which is then sold to the highest bidder on the dark web. These attacks have been concentrated on organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.
The authoring agencies observed threat actors using techniques like password spraying and multifactor authentication (MFA) “Push bombing” since October 2023 to compromise user accounts and gain initial access to victim networks. To enable persistent, ongoing access, they were even observed modifying MFA registrations. Discovery was then performed on compromised victim networks to obtain credentials with higher levels of access and additional information about the victim network.
Initial Access and Persistence – These threat actors use illegally obtained valid user and group email accounts to obtain initial access to Microsoft 365, Azure, and Citrix systems. In systems where MFA is used for added authentication, these threat actors have been observed sending constant MFA push notifications to legitimate users (known as push bombing) in the hopes that the user would either approve the request by accident or stop the notification. In the eventuality that the legitimate user approves the MFA request (on accident), threat actors promptly register their devices with MFA to retain their access to the victim network using the stolen (yet valid user account). These threat actors were observed hiding their tracks using a Virtual Private Network (VPN)
Lateral Movement – Remote Desktop Protocol (RDP) was used to move laterally in the victim networks. PowerShell was also used to launch the RDP binary mstsc.exe.
Additional Credential Access – These threat actors were observed commonly available open-source tools to gather additional credentials to gain further access inside the victim networks. Kerberos Service Principal Name (SPN) enumeration of several service accounts was performed to receive Kerberos tickets with credential information. They also used Active Directory (AD) Microsoft Graph API PowerShell application to perform a directory dump of all AD accounts. The use of password spraying, and the command cmdkey /list was also observed to steal and display usernames and passwords.
Privilege Escalation – Threat actors were also observed impersonating the domain controller through the exploitation of Microsoft’s Netlogon privilege escalation vulnerability (CVE-2020-1472).
Discovery – Living off the land (LOTL) techniques were used to gain additional information about the victims’ internal network infrastructure. Following command-line tools and utilities were used to gain insight into the domain controllers:
Lightweight Directory Access Protocol (LDAP) queries were also used to search the AD for computer display names, operating systems, descriptions, and distinguished names.
Command and Control (C&C) – Threat actors used msedge.exe to make outbound connections to Cobalt Strike Beacon C&C infrastructure.
Data Collection and Exfiltration – The threat actors were observed downloading files related to gaining remote access to the organization and to the organization’s inventory, likely exfiltrating the files to further persist in the victim network or to sell the information online.
As soon as details were made available, the SafeBreach Labs team mapped existing attacks in the Hacker’s Playbook to this US-CERT alerts immediately. It is important to note that existing SafeBreach customers already had a comprehensive level of coverage against the tactics and techniques leveraged by the threat actors identified in the advisory. Please run/re-run the attacks listed below to ensure your environments are protected against these TTPs.
Existing IOC-Based Attacks Related to AA24-290A (Iranian Cyber Actors)
Existing Behavioral Attacks Related to AA24-290A (Iranian Cyber Actors)
NOTE – FBI, CISA, and NSA recommend continually validating your security program, at scale, in a production environment to ensure optimal performance against growing threat of advanced cyber threats. Additional recommendations can be seen in the advisory (linked below):