SafeBreach Coverage for US CERT AA24-290A (Iranian Cyber Actors)

On October 16^th, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued an urgent advisory warning security teams about the use of Brute Force and other techniques by Iranian threat actors to compromise critical infrastructure entities. Detailed information about this threat and the associated IOCs and TTPs can be seen on Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations. 

This blog will share an overview of the threat and our coverage for these threat actors. As a SafeBreach customer, you will have access to all the attacks listed below and more to validate your organizational security controls against these state-sponsored threat actors.

US CERT Alert AA24-290A (Iranian Cyber Actors) 

According to the advisory, Iranian threat actors have been observed consistently leveraging brute force techniques to obtain credentials and information about victim networks which is then sold to the highest bidder on the dark web. These attacks have been concentrated on organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.

The authoring agencies observed threat actors using techniques like password spraying and multifactor authentication (MFA) “Push bombing” since October 2023 to compromise user accounts and gain initial access to victim networks. To enable persistent, ongoing access, they were even observed modifying MFA registrations. Discovery was then performed on compromised victim networks to obtain credentials with higher levels of access and additional information about the victim network.

Technical Details

Initial Access and Persistence – These threat actors use illegally obtained valid user and group email accounts to obtain initial access to Microsoft 365, Azure, and Citrix systems. In systems where MFA is used for added authentication, these threat actors have been observed sending constant MFA push notifications to legitimate users (known as push bombing) in the hopes that the user would either approve the request by accident or stop the notification. In the eventuality that the legitimate user approves the MFA request (on accident), threat actors promptly register their devices with MFA to retain their access to the victim network using the stolen (yet valid user account). These threat actors were observed hiding their tracks using a Virtual Private Network (VPN)

Lateral Movement – Remote Desktop Protocol (RDP) was used to move laterally in the victim networks. PowerShell was also used to launch the RDP binary mstsc.exe.

Additional Credential Access – These threat actors were observed commonly available open-source tools to gather additional credentials to gain further access inside the victim networks. Kerberos Service Principal Name (SPN) enumeration of several service accounts was performed to receive Kerberos tickets with credential information. They also used Active Directory (AD) Microsoft Graph API PowerShell application to perform a directory dump of all AD accounts. The use of password spraying, and  the command cmdkey /list was also observed to steal and display usernames and passwords.

Privilege Escalation – Threat actors were also observed impersonating the domain controller through the exploitation of Microsoft’s Netlogon privilege escalation vulnerability (CVE-2020-1472).

Discovery – Living off the land (LOTL) techniques were used to gain additional information about the victims’ internal network infrastructure. Following command-line tools and utilities were used to gain insight into the domain controllers:

• Nltest /dclist
• Nltest /domain_trusts
• Nltest /domain_trusts/all_trusts
• Net group “Enterprise admins” /domain
• Net group “Domain admins” /domain

Lightweight Directory Access Protocol (LDAP) queries were also used to search the AD for computer display names, operating systems, descriptions, and distinguished names.

Command and Control (C&C) – Threat actors used msedge.exe to make outbound connections to Cobalt Strike Beacon C&C infrastructure.

Data Collection and Exfiltration – The threat actors were observed downloading files related to gaining remote access to the organization and to the organization’s inventory, likely exfiltrating the files to further persist in the victim network or to sell the information online.

Important Note for SafeBreach Customers – Coverage for AA24-290A (Iranian Cyber Actors)

As soon as details were made available, the SafeBreach Labs team mapped existing attacks in the Hacker’s Playbook to this US-CERT alerts  immediately. It is important to note that existing SafeBreach customers already had a comprehensive level of coverage against the tactics and techniques leveraged by the threat actors identified in the advisory. Please run/re-run the attacks listed below to ensure your environments are protected against these TTPs.

Existing IOC-Based Attacks Related to AA24-290A (Iranian Cyber Actors)

• #5487 – Exploit CVE-2020-1472 ZeroLogon
• #5718 – Pre-execution phase of SharpZeroLogon trojan
• #5719 – Write SharpZeroLogon trojan to disk
• #5720 – Transfer of SharpZeroLogon trojan over HTTP/S
• #5721 – Transfer of SharpZeroLogon trojan over HTTP/S
• #5722 – Email SharpZeroLogon trojan as a compressed attachment
• #5723 – Email SharpZeroLogon trojan as a compressed attachment
• #6246 – Exploit ZeroLogon (CVE-2020-1472) (Windows)
• #8188 – Write ZeroLogon ransomware to disk
• #8189 – Transfer of ZeroLogon ransomware over HTTP/S
• #8190 – Transfer of ZeroLogon ransomware over HTTP/S
• #8191 – Email ZeroLogon ransomware as a compressed attachment
• #8192 – Email ZeroLogon ransomware as a compressed attachment

Existing Behavioral Attacks Related to AA24-290A (Iranian Cyber Actors)

• #7222 – Password Spraying (lateral movement)
• #1693 – Collect Windows system data using CMD (host level)
• #2192 – Collect Data from Local Shared Drives using System Commands (host level)
• #6910 – RDP Tunneling (host level)
• #10337 – Extract Security information using PowerShell (host level)
• #10338 – Extract Windows information using PowerShell (host level)
• #2206 – Extract Security Packages using PowerShell (host level)
• #2208 – Extract Credentials using Get-GPPPassword (PowerShell) (host level)
• #2222 – Discover Remote Systems using PowerShell (host level)
• #172 – Brute force attack over SMB protocol (lateral movement)
• #286 – Brute force attack over the LDAP protocol (lateral movement)
• #192 – Brute force attack over RDP protocol (lateral movement)
• #6473 – Agentless lateral movement via RDP (host level)
• #6580 – Discover domain groups using LDAP method (host level)
• #6578 – Discover domain users using LDAP method (host level)
• #7225 – Extracting Active Directory tickets using Kerberos (host level)
• #6581 – Discover domain computers using LDAP method (host level)
• #2306 – Domain Trust Discovery (host level)
• #6799 – Domain Controller discovery using interactive session token (host level)
• #6800 – Domain Controller discovery using user credentials (host level)
• #7225 – Kerberoasting attack (lateral movement)

NOTE – FBI, CISA, and NSA recommend continually validating your security program, at scale, in a production environment to ensure optimal performance against growing threat of advanced cyber threats. Additional recommendations can be seen in the advisory (linked below):

• Look for “impossible logins,” such as suspicious logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the user’s expected geographic location.
• Look for one IP used for multiple accounts, excluding expected logins.
• Look for unusual activity in typically dormant accounts.
• Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts.
• Implement phishing-resistant MFA.
• Continuously review MFA settings to ensure coverage over all active, internet-facing protocols to ensure no exploitable services are exposed.
• Disable user accounts and access to organizational resources for departing staff.
• For additional recommendations, please review the advisory in detail.