Intelligence and law enforcement agencies in Australia, Canada and the US have warned about an Iran-backed year-long campaign during which hackers used brute force and other techniques to compromise organizations across multiple critical infrastructure sectors.
The joint advisory said the campaign was first identified as active in October 2023 and targeted multiple critical infrastructure sectors, including healthcare, government, information technology, engineering and energy.
Brute Force, Password Spraying and MFA Push Bombing
Before gaining access to their victims, the cyber threat actors likely conducted reconnaissance operations to gather victim identity information.
Once obtained, the actors gained persistent access to victim networks using valid user and group email accounts, frequently obtained via brute force attack techniques such as password spraying and other methods, to get initial access to Microsoft 365, Azure and Citrix systems.
In some cases where push notification-based multifactor authentication (MFA) was enabled, the actors send MFA requests to legitimate users seeking acceptance of the request. This technique – bombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications – is known as ‘MFA fatigue’ or ‘MFA push bombing.’
Once gaining access to a victim’s network, the actors used several common methods, such as leveraging Remote Desktop Protocol (RDP), Kerberos Service Principal Name (SPN) or Microsoft Active Directory to perform lateral movement, privilege escalation and credential gathering.
Recommendations for Detection and Mitigation
The joint advisory shared some measures organizations can take to detect this campaign.
These include:
- Looking for “impossible logins,” such as suspicious logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align with the user’s expected geographic location
- Looking for one IP used for multiple accounts, excluding expected logins
- Looking for “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses with significant geographic distance (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the period between the logins)
- Looking for MFA registrations with MFA in unexpected locales or from unfamiliar devices
- Looking for processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the ntds.dit file from a domain controller
- Looking for suspicious privileged account use after resetting passwords or applying user account mitigations
- Looking for unusual activity in typically dormant accounts
- Looking for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity
The intelligence and law enforcement agencies also shared some recommendations to mitigate this threat.
These include:
- Reviewing IT helpdesk password management related to initial passwords, password resets for user lockouts and shared accounts
- Disabling user accounts and access to organizational resources for departing staff
- Implementing phishing-resistant MFA
- Continuously reviewing MFA settings to ensure coverage over all active, internet-facing protocols to ensure no exploitable services are exposed
- Providing basic cybersecurity training to users
- Ensuring password policies align with the latest NIST Digital Identity Guidelines
- Disabling the use of RC4 for Kerberos authentication
The joint advisory was signed by the FBI, the NSA, the US Cybersecurity and Infrastructure Security Agency (CISA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP) and the Australian Cyber Security Centre (ACSC) on October 16.
Read more: Iranian Hackers Secretly Aid Ransomware Attacks on US