Iranian Cyber Actors Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations CISA
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppFree Cyber ServicesElection Threat Updatesprotect2024Secure Our WorldShields UpReport A Cyber IssueppSearchppppFree Cyber ServicesElection Threat Updatesprotect2024Secure Our WorldShields UpReport A Cyber IssueppThe Federal Bureau of Investigation FBI the Cybersecurity and Infrastructure Security Agency CISA the National Security Agency NSA the Communications Security Establishment Canada CSE the Australian Federal Police AFP and Australian Signals Directorates Australian Cyber Security Centre ASDs ACSC are releasing this joint Cybersecurity Advisory to warn network defenders of Iranian cyber actors use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors including the healthcare and public health HPH government information technology engineering and energy sectors The actors likely aim to obtain credentials and information describing the victims network that can then be sold to enable access to cybercriminalsppSince October 2023 Iranian actors have used brute force such as password spraying and multifactor authentication MFA push bombing to compromise user accounts and obtain access to organizations The actors frequently modified MFA registrations enabling persistent access The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activityppThis advisory provides the actors tactics techniques and procedures TTPs and indicators of compromise IOCs The information is derived from FBI engagements with entities impacted by this malicious activityppThe authoring agencies recommend critical infrastructure organizations follow the guidance provided in the Mitigations section At a minimum organizations should ensure all accounts use strong passwords and register a second form of authenticationppDownload the PDF version of this reportppFor a downloadable list of IOCs seeppNote This advisory uses the MITRE ATTCK for Enterprise framework version 15 See the MITRE ATTCK Tactics and Techniques section in Appendix A for a table of the actors activity mapped to MITRE ATTCK tactics and techniquesppThe actors likely conduct reconnaissance operations to gather victim identity T1589 information Once obtained the actors gain persistent access to victim networks frequently via brute force T1110 After gaining access the actors use a variety of techniques to further gather credentials escalate privileges and gain information about the entitys systems and network The actors also move laterally and download information that could assist other actors with access and exploitationppThe actors use valid user and group email accounts T1078 frequently obtained via brute force such as password spraying T1110003 although other times via unknown methods to obtain initial access to Microsoft 365 Azure T1078004 and Citrix systems T1133 In some cases where push notificationbased MFA was enabled the actors send MFA requests to legitimate users seeking acceptance of the request This techniquebombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications is known as MFA fatigue or push bombing T1621ppOnce the threat actors gain access to an account they frequently register their devices with MFA to protect their access to the environment via the valid accountppThe actors frequently conduct their activity using a virtual private network VPN service T1572 Several of the IP addresses in the actors malicious activity originate from exit nodes tied to the Private Internet Access VPN serviceppThe actors use Remote Desktop Protocol RDP for lateral movement T1021001 In one instance the actors used Microsoft Word to open PowerShell to launch the RDP binary mstscexe T1202ppThe actors likely use opensource tools and methodologies to gather more credentials The actors performed Kerberos Service Principal Name SPN enumeration of several service accounts and received Kerberos tickets T1558003 In one instance the actors used the Active Directory AD Microsoft Graph Application Program Interface API PowerShell application likely to perform a directory dump of all AD accounts Also the actors imported the tool T1105 DomainPasswordSprayps1 which is openly available on GitHub T1588002 likely to conduct password spraying The actors also used the command Cmdkey list likely to display usernames and credentials T1555ppIn one instance the actors attempted impersonation of the domain controller likely by exploiting Microsofts Netlogon also known as Zerologon privilege escalation vulnerability CVE20201472 T1068ppThe actors leverage living off the land LOTL to gain knowledge about the target systems and internal networks The actors used the following Windows commandline tools to gather information about domain controllers T1018 trusted domains T1482 lists of domain administrators and enterprise administrators T1087002 T1069002 T1069003ppNext the actors used the following Lightweight Directory Access Protocol LDAP query in PowerShell T1059001to search the AD for computer display names operating systems descriptions and distinguished names T1082pp i0 D SystemDirectoryServicesActiveDirectoryDomainGetCurrentDomain LLDAP D D ADSIL Date GetDateAddDays90ToFileTime str objectcategorycomputeroperatingSystemservlastlogonDatelastlogontimestampDate s adsisearcherstr ssearchRoot LDdistinguishedName sPropertiesToLoadAddcn Null sPropertiesToLoadAddoperatingsystem Null sPropertiesToLoadAdddescription Null sPropertiesToLoadAdddistinguishedName Null Foreach CA in sFindAll WriteHost CAPropertiesItemcn CAPropertiesItemoperatingsystem CA PropertiesItemdescription CAPropertiesItemdistinguishedName i Writehost Total servers ippOn one occasion using msedgeexe the actors likely made outbound connections to Cobalt Strike Beacon command and control C2 infrastructure T1071001ppIn a couple instances while logged in to victim accounts the actors downloaded files related to gaining remote access to the organization and to the organizations inventory T1005 likely exfiltrating the files to further persist in the victim network or to sell the information onlineppTo detect brute force activity the authoring agencies recommend reviewing authentication logs for system and application login failures of valid accounts and looking for multiple failed authentication attempts across all accountsppTo detect the use of compromised credentials in combination with virtual infrastructure the authoring agencies recommend the following stepsppThe authoring agencies recommend organizations implement the mitigations below to improve organizations cybersecurity posture based on the actors TTPs described in this advisory These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA The CPGs which are organized to align to the National Institute of Standards and Technology NIST Cybersecurity Framework are a subset of cybersecurity practices aimed at meaningfully reducing risks to both critical infrastructure operations and the American people These voluntary CPGs strive to help small and mediumsized organizations kickstart their cybersecurity efforts by prioritizing investment in a limited number of essential actions with highimpact security outcomes Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protectionsppThese mitigations apply to critical infrastructure entities across sectorsppThe authoring agencies also recommend software manufacturers incorporate secure by design principles and tactics into their software development practices to protect their customers against actors using compromised credentials thereby strengthening the security posture of their customers For more information on secure by design see CISAs Secure by Design webpage and joint guideppIn addition to applying mitigations the authoring agencies recommend exercising testing and validating organization security programs against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppThe authoring agencies recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppOrganizations are encouraged to report suspicious or criminal activity related to information in this advisory toppThe information in this report is being provided as is for informational purposes only The authoring agencies do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by the authoring agenciesppIntrusion events connected to this Iranian group may also include a different set of cyber actorslikely the thirdparty actors who purchased access from the Iranian group via cybercriminal forums or other channels As a result some TTPs and IOCs noted in this advisory may be tied to these thirdparty actors not the Iranian actors The TTPs and IOCs are in the advisory to provide recipients the most complete picture of malicious activity that may be observed on compromised networks However exercise caution if formulating attribution assessments based solely on matching TTPs and IOCsppOctober 16 2024 Initial versionppSee Tables 112 for all referenced actors tactics and techniques in this advisory For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppSee Tables 13 to 15 for IOCs obtained from FBI investigationsppDisclaimer The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action such as blocking as many cyber actors are known to change IP addresses sometimes daily and some IP addresses may host valid domains Many of the IP addresses provided below are assessed VPN nodes and as such are not exclusive to the Iranian actors use The authoring organizations do not recommend blocking these IP addresses based solely on their inclusion in this JCSA The authoring organizations recommend using the below IP addresses to search for previous activity the actors may have conducted against networks If positive hits for these IP addresses are identified the authoring organizations recommend making an independent determination if the observed activity aligns with the TTPs outlined in the JCSA The timeframes included in the table reflect the timeframe the actors likely used the IPspp ppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppFree Cyber ServicesElection Threat Updatesprotect2024Secure Our WorldShields UpReport A Cyber IssueppSearchppppFree Cyber ServicesElection Threat Updatesprotect2024Secure Our WorldShields UpReport A Cyber IssueppThe Federal Bureau of Investigation FBI the Cybersecurity and Infrastructure Security Agency CISA the National Security Agency NSA the Communications Security Establishment Canada CSE the Australian Federal Police AFP and Australian Signals Directorates Australian Cyber Security Centre ASDs ACSC are releasing this joint Cybersecurity Advisory to warn network defenders of Iranian cyber actors use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors including the healthcare and public health HPH government information technology engineering and energy sectors The actors likely aim to obtain credentials and information describing the victims network that can then be sold to enable access to cybercriminalsppSince October 2023 Iranian actors have used brute force such as password spraying and multifactor authentication MFA push bombing to compromise user accounts and obtain access to organizations The actors frequently modified MFA registrations enabling persistent access The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activityppThis advisory provides the actors tactics techniques and procedures TTPs and indicators of compromise IOCs The information is derived from FBI engagements with entities impacted by this malicious activityppThe authoring agencies recommend critical infrastructure organizations follow the guidance provided in the Mitigations section At a minimum organizations should ensure all accounts use strong passwords and register a second form of authenticationppDownload the PDF version of this reportppFor a downloadable list of IOCs seeppNote This advisory uses the MITRE ATTCK for Enterprise framework version 15 See the MITRE ATTCK Tactics and Techniques section in Appendix A for a table of the actors activity mapped to MITRE ATTCK tactics and techniquesppThe actors likely conduct reconnaissance operations to gather victim identity T1589 information Once obtained the actors gain persistent access to victim networks frequently via brute force T1110 After gaining access the actors use a variety of techniques to further gather credentials escalate privileges and gain information about the entitys systems and network The actors also move laterally and download information that could assist other actors with access and exploitationppThe actors use valid user and group email accounts T1078 frequently obtained via brute force such as password spraying T1110003 although other times via unknown methods to obtain initial access to Microsoft 365 Azure T1078004 and Citrix systems T1133 In some cases where push notificationbased MFA was enabled the actors send MFA requests to legitimate users seeking acceptance of the request This techniquebombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications is known as MFA fatigue or push bombing T1621ppOnce the threat actors gain access to an account they frequently register their devices with MFA to protect their access to the environment via the valid accountppThe actors frequently conduct their activity using a virtual private network VPN service T1572 Several of the IP addresses in the actors malicious activity originate from exit nodes tied to the Private Internet Access VPN serviceppThe actors use Remote Desktop Protocol RDP for lateral movement T1021001 In one instance the actors used Microsoft Word to open PowerShell to launch the RDP binary mstscexe T1202ppThe actors likely use opensource tools and methodologies to gather more credentials The actors performed Kerberos Service Principal Name SPN enumeration of several service accounts and received Kerberos tickets T1558003 In one instance the actors used the Active Directory AD Microsoft Graph Application Program Interface API PowerShell application likely to perform a directory dump of all AD accounts Also the actors imported the tool T1105 DomainPasswordSprayps1 which is openly available on GitHub T1588002 likely to conduct password spraying The actors also used the command Cmdkey list likely to display usernames and credentials T1555ppIn one instance the actors attempted impersonation of the domain controller likely by exploiting Microsofts Netlogon also known as Zerologon privilege escalation vulnerability CVE20201472 T1068ppThe actors leverage living off the land LOTL to gain knowledge about the target systems and internal networks The actors used the following Windows commandline tools to gather information about domain controllers T1018 trusted domains T1482 lists of domain administrators and enterprise administrators T1087002 T1069002 T1069003ppNext the actors used the following Lightweight Directory Access Protocol LDAP query in PowerShell T1059001to search the AD for computer display names operating systems descriptions and distinguished names T1082pp i0 D SystemDirectoryServicesActiveDirectoryDomainGetCurrentDomain LLDAP D D ADSIL Date GetDateAddDays90ToFileTime str objectcategorycomputeroperatingSystemservlastlogonDatelastlogontimestampDate s adsisearcherstr ssearchRoot LDdistinguishedName sPropertiesToLoadAddcn Null sPropertiesToLoadAddoperatingsystem Null sPropertiesToLoadAdddescription Null sPropertiesToLoadAdddistinguishedName Null Foreach CA in sFindAll WriteHost CAPropertiesItemcn CAPropertiesItemoperatingsystem CA PropertiesItemdescription CAPropertiesItemdistinguishedName i Writehost Total servers ippOn one occasion using msedgeexe the actors likely made outbound connections to Cobalt Strike Beacon command and control C2 infrastructure T1071001ppIn a couple instances while logged in to victim accounts the actors downloaded files related to gaining remote access to the organization and to the organizations inventory T1005 likely exfiltrating the files to further persist in the victim network or to sell the information onlineppTo detect brute force activity the authoring agencies recommend reviewing authentication logs for system and application login failures of valid accounts and looking for multiple failed authentication attempts across all accountsppTo detect the use of compromised credentials in combination with virtual infrastructure the authoring agencies recommend the following stepsppThe authoring agencies recommend organizations implement the mitigations below to improve organizations cybersecurity posture based on the actors TTPs described in this advisory These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA The CPGs which are organized to align to the National Institute of Standards and Technology NIST Cybersecurity Framework are a subset of cybersecurity practices aimed at meaningfully reducing risks to both critical infrastructure operations and the American people These voluntary CPGs strive to help small and mediumsized organizations kickstart their cybersecurity efforts by prioritizing investment in a limited number of essential actions with highimpact security outcomes Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protectionsppThese mitigations apply to critical infrastructure entities across sectorsppThe authoring agencies also recommend software manufacturers incorporate secure by design principles and tactics into their software development practices to protect their customers against actors using compromised credentials thereby strengthening the security posture of their customers For more information on secure by design see CISAs Secure by Design webpage and joint guideppIn addition to applying mitigations the authoring agencies recommend exercising testing and validating organization security programs against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppThe authoring agencies recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppOrganizations are encouraged to report suspicious or criminal activity related to information in this advisory toppThe information in this report is being provided as is for informational purposes only The authoring agencies do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by the authoring agenciesppIntrusion events connected to this Iranian group may also include a different set of cyber actorslikely the thirdparty actors who purchased access from the Iranian group via cybercriminal forums or other channels As a result some TTPs and IOCs noted in this advisory may be tied to these thirdparty actors not the Iranian actors The TTPs and IOCs are in the advisory to provide recipients the most complete picture of malicious activity that may be observed on compromised networks However exercise caution if formulating attribution assessments based solely on matching TTPs and IOCsppOctober 16 2024 Initial versionppSee Tables 112 for all referenced actors tactics and techniques in this advisory For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppSee Tables 13 to 15 for IOCs obtained from FBI investigationsppDisclaimer The authoring organizations recommend network defenders investigate or vet IP addresses prior to taking action such as blocking as many cyber actors are known to change IP addresses sometimes daily and some IP addresses may host valid domains Many of the IP addresses provided below are assessed VPN nodes and as such are not exclusive to the Iranian actors use The authoring organizations do not recommend blocking these IP addresses based solely on their inclusion in this JCSA The authoring organizations recommend using the below IP addresses to search for previous activity the actors may have conducted against networks If positive hits for these IP addresses are identified the authoring organizations recommend making an independent determination if the observed activity aligns with the TTPs outlined in the JCSA The timeframes included in the table reflect the timeframe the actors likely used the IPspp ppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
