Multiple agencies have released a joint Cybersecurity Advisory warning network defenders of Iranian cyber actors’ use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors, including the healthcare and public health, government, information technology, engineering, and energy sectors. The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals.
The Australian Federal Police (AFP), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE) are all parties to the October 17 advisory.
Since October 2023, Iranian actors have used brute force, such as password spraying, and multi-factor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access.
The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access. The agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity.
The advisory provides the actors’ tactics, techniques, and procedures and indicators of compromise. The information is derived from FBI engagements with entities impacted by this malicious activity.
The authoring agencies recommend critical infrastructure organisations follow the provided mitigation guidance. At a minimum, organisations should ensure all accounts use strong passwords and register a second form of authentication.
Initial access and persistence
The actors use valid user and group email accounts, frequently obtained via brute force attacks such as password spraying although other times via unknown means, to obtain initial access to Microsoft 365, Azure, and Citrix systems. In some cases where push notification-based MFA was enabled, the actors send MFA requests to legitimate users seeking acceptance of the request. This technique – bombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications, is known as MFA fatigue or push bombing.
Once the threat actors gain access to an account, they frequently register their devices with MFA to protect their access to the environment via the valid account:
In two confirmed compromises, the actors leveraged a compromised user’s open registration for MFA to register the actor’s own device to access the environment.
In another confirmed compromise, the actors used a self-service password reset tool associated with a public facing Active Directory Federation Services to reset the accounts with expired passwords and then registered MFA through Okta for compromised accounts without MFA already enabled.
The actors frequently conduct their activity using a virtual private network service. Several of the IP addresses observed in the actors’ malicious activity originate from exit nodes tied to the Private Internet Access VPN service.
The actors use Remote Desktop Protocol for lateral movement. In one instance, the actors used Microsoft Word to open PowerShell to launch the RDP binary mstsc.exe.
The actors likely use open-source tools and methodologies to gather more credentials. The actors performed Kerberos Service Principal Name (SPN) enumeration of several service accounts and received several Kerberos tickets. In one instance, the actors used the Active Directory Microsoft Graph Application Program Interface PowerShell application likely to perform a directory dump of all AD accounts. Also, the actors imported the tool DomainPasswordSpray.ps1, which is openly available on GitHub, likely to conduct password spraying. The actors also used the command Cmdkey /list, likely to display usernames and credentials.
In one instance, the actors attempted impersonation of the domain controller, likely by exploiting Microsoft’s Netlogon (also known as ‘Zerologon’) privilege escalation vulnerability (CVE-2020-1472).
The actors leverage living off the land (LOTL) to gain knowledge about the target systems and internal networks. The actors used the certain Windows command-line tools to gather information about domain controllers, trusted domains, lists of domain administrators, and enterprise administrators.
Detection
To detect brute force activity, the authoring agencies recommend reviewing authentication logs for system and application login failures of valid accounts and looking for multiple, failed authentication attempts across all accounts.
To detect the use of compromised credentials in combination with virtual infrastructure, the authoring agencies recommend following the steps:
- Look for impossible logins, such as suspicious logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the user’s expected geographic location;
- Look for one IP used for multiple accounts, excluding expected logins;
- Look for impossible travel. Impossible travel occurs when a user logs in from multiple IP addresses with significant geographic distance (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the period between the logins). Note: Implementing this detection opportunity can result in false positives if legitimate users apply VPN solutions before connecting into networks;
- Look for MFA registrations with MFA in unexpected locales or from unfamiliar devices;
- Look for processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the ntds.dit file from a domain controller;
- Look for suspicious privileged account use after resetting passwords or applying user account mitigations;
- Look for unusual activity in typically dormant accounts; and
- Look for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.
Mitigations
The authoring agencies recommend organizations implement the mitigations below to improve organisations’ cybersecurity posture based on the actors’ TTPs described in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals developed by CISA. The CPGs, which are organised to align to the National Institute of Standards and Technology Cybersecurity Framework, are a subset of cybersecurity practices, aimed at meaningfully reducing risks to both critical infrastructure operations and the American people.
These voluntary CPGs strive to help small- and medium-sized organisations kick start their cybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security outcomes. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs, including additional recommended baseline protections.
- Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT helpdesk password procedures may not align to company policy for user verification or password strength, creating a security gap. Avoid common passwords (e.g. “Spring2024” or “Password123!”);
- Disable user accounts and access to organizational resources for departing staff. Disabling accounts can minimize system exposure, removing options actors can leverage for entry into the system. Similarly, create new user accounts as close as possible to an employee’s start date;
- Implement phishing-resistant MFA;
- Continuously review MFA settings to ensure coverage over all active, internet facing protocols to ensure no exploitable services are exposed;
- Provide basic cybersecurity training to users covering concepts such as: detecting unsuccessful login attempts, having users deny MFA requests they have not generated; and ensuring users with MFA enabled accounts have MFA set up appropriately;
- Ensure password policies align with the latest NIST Digital Identity Guidelines. Meet the minimum password strength by creating a password using 8-64 nonstandard characters and long passphrases, when possible; and
- Disable the use of RC4 for Kerberos authentication.
These mitigations apply to critical infrastructure entities across sectors.
The authoring agencies also recommend software manufacturers incorporate secure by design principles and tactics into their software development practices to protect their customers against actors using compromised credentials, thereby strengthening the security posture of their customers.
You can read the full advisory here.
