U.S. security agencies joined with international counterparts today to warn about a year-old Iranian campaign that uses brute-force attacks and other techniques to compromise critical infrastructure, access that the threat actors then sell to cybercriminals.
The Iran brute-force attacks campaign targets the healthcare and public health (HPH), government, IT, engineering, and energy sectors, according to an advisory from the FBI, CISA, NSA and Canadian and Australian cybersecurity agencies.
The agencies said their findings drive home the point that organizations “should ensure all accounts use strong passwords and register a second form of authentication.”
The advisory comes just a week after CISA and the FBI warned that Iranian threat actors were targeting political organizations in an effort to undermine confidence in U.S. democratic institutions. Reports also emerged in August that Iran-linked threat actors were selling critical infrastructure access to ransomware groups.
Iranian Threat Actor Attack Techniques
Since October 2023, Iranian threat actors have been using brute-force attacks, such as password spraying and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations, the security agencies said.
The actors often modify MFA registrations to enable persistent access, then probe compromised networks for additional credentials, elevated privileges and information that could lead to further access.
“The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals,” the agencies wrote, noting that their information was “derived from FBI engagements with entities impacted by this malicious activity.”
The threat actors likely conduct reconnaissance operations to target victims, then gain persistent access to networks via brute force.
Microsoft 365, Azure, Citrix Targeted
The hackers use valid user and group email accounts, often obtained via password spraying, “although other times via unknown methods,” to obtain initial access to Microsoft 365, Azure, and Citrix systems, the agencies said.
If push notification-based MFA is enabled, the actors send MFA requests to legitimate users hoping they’ll accept the request in “MFA fatigue” and “push bombing” attacks.
Once the threat actors gain access to an account, they often register their devices with MFA to protect their access via the valid account. In two confirmed compromises, the actors leveraged a compromised user’s open registration for MFA to register the threat actor’s own device to access the environment.
In another case, the actors used a self-service password reset (SSPR) tool connected to a public-facing Active Directory Federation Service (ADFS) to reset the accounts with expired passwords and then registered MFA through Okta for compromised accounts that didn’t already have MFA enabled.
The actors often use a VPN service; several of the IP addresses linked to malicious activity originated from exit nodes tied to the Private Internet Access VPN service.
The threat actors use Remote Desktop Protocol (RDP) for lateral movement. In one case they used Microsoft Word to open PowerShell to launch the RDP binary mstsc.exe.
To obtain credentials, the threat actors performed Kerberos Service Principal Name (SPN) enumeration of several service accounts and received Kerberos tickets. In another case, they used the Active Directory (AD) Microsoft Graph Application Program Interface (API) PowerShell application, likely to perform a directory dump of all AD accounts. Also, the actors imported the tool DomainPasswordSpray.ps1, which is openly available on GitHub, likely to conduct password spraying. The TAs also used the command Cmdkey /list to display usernames and credentials.
The actors used living off the land (LOTL) techniques such as Windows command-line tools to gather information about domain controllers, trusted domains, domain administrators, and enterprise administrators. They also used a Lightweight Directory Access Protocol (LDAP) query in PowerShell to search Active Directory for computer display names, operating systems, descriptions, and distinguished names.
Indicators of Compromise in Iran Brute-Force Attacks
To detect brute force activity, the agencies recommend reviewing authentication logs and virtual infrastructure for indicators of account compromise and brute-force attacks:
- system and application login failures of valid accounts
- multiple failed authentication attempts across all accounts
- suspicious logins with changing usernames
- IP address combinations or logins where IP addresses do not align with a user’s geographic location
- a single IP used for multiple accounts
- signs of “impossible travel” (provided legitimate users aren’t using VPNs)
- MFA registrations with MFA in unexpected locations or from unfamiliar devices
- suspicious privileged account use after resetting passwords or applying user account mitigations
- unusual activity in typically dormant accounts
- unusual user agent strings that may indicate bot activity
Security teams should monitor for processes and program execution command-line arguments that may indicate credential dumping, such as accessing or copying the ntds.dit file from a domain controller.
The advisory contains a number of Indicators of Compromise (IoCs) specific to the campaign, such as file hashes, IP addresses and device information.
Malicious File Hash Undetected by Security Tools
The advisory identified two SHA1 file hashes in the IoCs:
- 1F96D15B26416B2C7043EE7172357AF3AFBB002A
- 3D3CDF7CFC881678FEBCAFB26AE423FE5AA4EFEC
Interestingly, the first hash is more than five years old, according to Cyble threat intelligence data, and yet only one of 73 security tools identified it as malicious before today’s advisory (images below from Cyble’s Hawk and Vision threat intelligence tools).