Iranian hackers are breaching critical infrastructure organizations to collect credentials and network data that can be sold on cybercriminal forums to enable cyberattacks from other threat actors.
Government agencies in the U.S., Canada, and Australia believe that Iranian hackers are acting as initial access brokers and use brute-force techniques to gain access to organizations in the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.
Iranian access broker
An advisory published by America’s Cyber Defense Agency (CISA) describes the latest activity and methods that Iranian hackers used to compromise networks and collect data that would provide additional points of access.
The alert is co-authored by the Federal Bureau of Investigation (FBI), CISA, the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).
“Since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations” – joint cybersecurity advisory
After the reconnaissance stage, the threat actors aim to obtain persistent access to the target network, often using brute force techniques.
Follow-up activity includes collecting more credentials, escalating privileges, and learning about the breached systems and the network, which allows them to move laterally and identify other points of access and exploitation.
The government agencies haven’t discovered all the methods used in such attacks but determined that in some the hackers use password spraying to access valid user and group accounts.
Another method observed was MFA fatigue (push bombing) where cybercriminals bombard a target’s mobile phone with access requests to overwhelm the user until they approve the sign-in attempt, either by accident or just to stop the notifications.
According to the advisory, Iranian hackers also used some methods that have yet to be determined to obtain initial access to Microsoft 365, Azure, and Citrix environments.
Once they get access to an account, the threat actors typically try to register their devices with the organization’s MFA system.
In two confirmed compromises, the actors leveraged a compromised user’s open registration for MFA to register the actor’s own device to access the environment.
In another confirmed compromise, the actors used a self-service password reset (SSPR) tool associated with a public facing Active Directory Federation Service (ADFS) to reset the accounts with expired passwords and then registered MFA through Okta for compromised accounts without MFA already enabled.
Moving through the network was conducted via the Remote Desktop Protocol (RDP), sometimes deploying the necessary binaries using PowerShell opened through Microsoft Word.
It is unclear how the Iranian hackers collect additional credentials but it is believed that this step is done with the help of open-source tools to steal Kerberos tickets or to retrieve Active Directory accounts.
To elevate privileges on the system, the government agencies said that the hackers tried to impersonate the domain controller “likely by exploiting Microsoft’s Netlogon (also known as ”Zerologon”) privilege escalation vulnerability (CVE-2020-1472).”
In the attacks analyzed, the threat actor relied on the tools available on the system (living off the land) to gather details about domain controllers, trusted domains, lists of administrators, enterprise admins, computers on the network, their descriptions, and operating systems.
In a separate advisory in August, the U.S. government warned of an Iranian-based threat actor, believed to be state sponsored, involved in obtaining initial access to networks belonging to various organizations in the U.S.
The threat actor used the alias Br0k3r and the username ‘xplfinder’ on communication channels. They provided “full domain control privileges, as well as domain admin credentials, to numerous networks worldwide,” the report notes.
Br0k3r, known in the private sector as Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm, collaborated with ransomware affiliates to receive a percentage of the ransom payments from compromised organizations (e.g. schools, municipal governments, financial institutions, and healthcare facilities).
Detecting brute-force attempts
The joint advisory recommends organizations review authentication logs for failed logins on valid accounts and expand the search to multiple accounts.
If a threat actor leverages compromised credentials on virtual infrastructures, organizations should look for the so-called ‘impossible logins’ with changed usernames, user agents, or IP addresses that do not match the user’s typical geographic location.
Another sign of a potential intrusion attempt is the use of the same IP for multiple accounts or the use of IPs from different locations with a frequency that would not permit the user to travel the distance.
Additionally, the agencies recommend:
- looking for MFA registrations with MFA in unexpected locales or from unfamiliar devices
- looking for processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the ntds.dit file from a domain controller
- checking for suspicious privileged account use after resetting passwords or applying user account mitigations
- investigating unusual activity in typically dormant accounts
- scanning for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity
The joint advisory also provides a set of mitigations that would improve an organization’s security posture against the tactics, techniques, and procedures (TTPs) observed with Iranian hackers’ activity.
A set of indicators of compromise including hashes for malicious files, IP addresses, and devices used in attacks are available in the advisory.