Analysis Summary

Iranian cybercriminals are breaking into vital infrastructure companies in order to obtain login credentials and network information that they can use on online marketplaces to fund more cyberattacks by other threat actors.

Iranian threat actors are suspected by government agencies in the U.S., Canada, and Australia of serving as initial access brokers and breaking into organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors by using brute-force methods. The Cyber Defense Agency (CISA) of the United States has released an advisory detailing the most recent actions and techniques employed by Iranian threat actors to breach networks and gather information that could lead to other ports of access.

The Federal Bureau of Investigation (FBI), Communications Security Establishment Canada (CSE), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Federal Police (AFP), and the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) are co-authors of the alert. Since October 2023, Iranian actors have gained access to enterprises by using brute force techniques including password spraying and multifactor authentication (MFA) "push bombing" to compromise user credentials.

Following the phase of reconnaissance, the threat actors endeavor to get enduring entry to the intended network, frequently employing brute force methods. More credentials are gathered, privileges are escalated, and knowledge of the compromised systems and network is gained through follow-up activities, which enable them to move laterally and locate more channels of access and exploitation.

Government agencies haven't uncovered every technique employed in these kinds of attacks, but they have found that in certain cases, threat actors utilize password spraying to get access to legitimate user and group accounts. Another technique seen was MFA fatigue, also known as push bombing, in which fraudsters flood a target's phone with access requests in an attempt to overload them until they accidentally allow the sign-in attempt or just decide to stop receiving alerts.

The report says that in addition, Iranian threat actors gained initial access to Microsoft 365, Azure, and Citrix environments through as-yet-unidentified techniques. Threat actors usually attempt to register their devices with the organization's MFA system after they get access to an account. Using the Remote Desktop Protocol (RDP), threat actors could navigate the network and occasionally use PowerShell launched in Microsoft Word to deploy the required binaries.

Although the Iranian attackers’ method of obtaining more credentials is unknown, it is thought that they use open-source software to either extract Active Directory accounts or pilfer Kerberos tickets. According to federal agencies, the attackers attempted to assume the identity of the domain controller by taking advantage of a vulnerability in Microsoft's Netlogon (sometimes referred to as "Zerologon") privilege escalation (CVE-2020-1472).

The threat actor in the examined attacks used the system's built-in tools (living off the land) to obtain information about domain controllers, trusted domains, enterprise administrators, administrator lists, network computers, operating systems, and descriptions of each. The joint advisory recommends that enterprises look across several accounts and examine authentication records for unsuccessful login attempts on legitimate accounts.

Whenever a threat actor uses compromised credentials on virtual infrastructures, companies should be on the lookout for so-called "impossible logins," which are characterized by altered usernames, user agents, or IP addresses that are not consistent with the user's usual location. The use of one IP address for many accounts or the usage of IP addresses from different locations at a frequency that would prevent the user from traveling the distance are additional indicators of a possible intrusion attempt.

Impact

• Credential Theft
• Sensitive Data Theft
• Unauthorized Access
• Privilege Escalation

Indicators of Compromise

IP

• 95.181.234.25
• 46.246.3.196
• 188.126.94.166
• 46.246.8.53
• 154.16.192.37
• 191.96.150.96
• 191.96.150.21
• 95.181.235.8
• 46.246.122.185
• 46.246.3.233
• 188.126.89.35

MD5

• b27c2e0141bbb3a7907a5ec1863e1465

SHA-256

• 09407d2e3ac7d6af13c407d17ec8e51b6d1b1d8271df65ebd0b3ffbab420b2fe

SHA1

• 1f96d15b26416b2c7043ee7172357af3afbb002a

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Educate potential targets on the risks associated with engaging in online conversations with unknown individuals, especially on social media platforms.
• Encourage individuals to use secure communication tools and platforms that offer end-to-end encryption to protect sensitive information.
• Conduct phishing awareness training to help them recognize and avoid social engineering attacks, such as deceptive messages and links.
• Advise users to enable MFA on their accounts to add an extra layer of protection against unauthorized access.
• Ensure that all devices and software used are up to date with the latest security patches to mitigate vulnerabilities.
• Train individuals to be cautious when interacting with unknown individuals online and to be vigilant about unusual or suspicious requests.
• Implement network monitoring and intrusion detection systems to detect any unauthorized access attempts or unusual activities.
• Recommend the use of secure messaging and communication platforms that offer end-to-end encryption and protect conversations from interception.