Cybersecurity and intelligence agencies from Australia, Canada, and the United States have released a joint advisory warning about a year-long campaign undertaken by Iran-linked cyber-attackers to infiltrate critical infrastructure organisations via attacks aimed at obtaining credentials and other information describing the organisations’ networks.
Brute-force attacks: A brute-force attack is a type of cyberattack in which an attacker systematically tries all possible combinations of passwords or encryption keys to gain unauthorized access to a system, account, or encrypted data.
Password spraying: Instead of repeatedly trying different passwords on a single account, attackers try a small number of common passwords across many accounts, hoping that one will work.
Starting in October 2023, Iranian attackers have been observed using attack techniques such as brute-force, password spraying, and MFA push bombing, to compromise user accounts and gain access to organisations in critical infrastructure sectors like public health, government, information technology, engineering, and energy. The attack pattern after gaining initial access suggests that the intent is to obtain access credentials and points of entry into the networks to be sold on cybercriminal forums to enable access for other malicious actors.
Modus Operandi
The threat actors likely conduct reconnaissance operations to gather victim identities to target. They then gain access to victim networks, frequently by means of brute-force attacks after which they use a host of other techniques to gather additional credentials, escalate privileges, and gather information about the organisation’s system and network. The actors also move laterally and download information that could assist other actors with access and exploitation.
In cases where users had Multi-factor Authentication enabled via push notifications, the threat actors used a technique known as ‘MFA Fatigue’ or ‘Push Bombing’. This technique involves bombarding users with push notifications until the user accidentally approves a request or stops the notifications.
In order to maintain persistent access, the threat actors frequently register their own devices with MFA. In two confirmed instances, the threat actors leveraged users’ open registration for MFA to register their own devices to access the environment. In another confirmed instance, the actors used a self-service password reset (SSPR) tool associated with a public-facing Active Directory Federation Service (ADFS) to reset the accounts with expired passwords and then registered MFA through Octa for compromised accounts without MFA enabled.
Self-Service Password Reset (SSPR): A tool that allows users to reset their own passwords without needing help from the IT department, often used in large organizations to reduce IT workload.
Remote Desktop Protocol (RDP): A protocol that allows someone to control a computer remotely over the internet, as if they were sitting right in front of it, often used by IT teams to manage systems.
The actors frequently used VPNs to conduct their activities. Several IP addresses identified in the malicious activity originate from known exit nodes tied to the Private Internet Access VPN service.
Lateral movement was achieved by using the Remote Desktop Protocol(RDP). In one instance, the attackers used Microsoft Word to open Powershell from where they launched an RDP binary.
Attackers were seen leveraging the privilege escalation vulnerability in Microsoft’s Netlogon, CVE-2020-1472, dubbed “Zerologon”.
Mitigations
To defend against brute-force and credential-based attacks, the agencies recommend organizations regularly monitor authentication logs for repeated login failures across multiple accounts, which may indicate brute-force activity. Monitoring for “impossible logins” such as access attempts from geographically distant locations or varying IP addresses within a short time can help identify the use of compromised credentials. Additionally, it is critical to watch for IP addresses logging into multiple accounts or suspicious logins from unfamiliar devices or locations, especially when linked to privileged accounts. The agencies also suggest investigating unusual patterns in typically dormant accounts and monitoring user agent strings that may signal bot activity.
To mitigate the threat, organizations should enforce phishing-resistant multi-factor authentication (MFA) and review MFA settings to cover all external-facing services. Ensuring strong password policies, including the use of long and complex passphrases, is essential. Organizations should also disable RC4 for Kerberos authentication and enforce procedures that align with the NIST Digital Identity Guidelines. It’s recommended to regularly review helpdesk practices, including password management policies, and to deactivate user accounts promptly upon employee departures to reduce exposure. Lastly, organizations should continually test their security programs against MITRE ATT&CK techniques to validate and tune their defences against evolving attack strategies.
Leave a Reply