Iranian Cyber Threats: A Year-Long Campaign Targeting Critical Infrastructure

In a significant warning issued today, U.S. security agencies, in collaboration with international counterparts, have shed light on a year-old Iranian cyber campaign that poses a severe threat to critical infrastructure across various sectors. This advisory, released by the FBI, CISA, NSA, and cybersecurity agencies from Canada and Australia, highlights the alarming tactics employed by Iranian threat actors, including brute-force attacks, to compromise vital systems and subsequently sell access to cybercriminals.

Targeted Sectors and Implications

The Iranian campaign primarily targets the healthcare and public health (HPH), government, IT, engineering, and energy sectors. These areas are not only crucial for national security but also for the everyday functioning of society. The advisory emphasizes the urgent need for organizations to bolster their cybersecurity measures, urging them to implement strong passwords and multi-factor authentication (MFA) to safeguard their systems.

This advisory follows closely on the heels of previous warnings from CISA and the FBI regarding Iranian threat actors targeting political organizations, aiming to undermine confidence in U.S. democratic institutions. Reports have also surfaced indicating that these actors are selling access to critical infrastructure to ransomware groups, further complicating the cybersecurity landscape.

Iranian Threat Actor Attack Techniques

Since October 2023, Iranian cyber operatives have increasingly utilized brute-force attacks, including password spraying and MFA ‘push bombing,’ to gain unauthorized access to user accounts. These techniques involve overwhelming systems with login attempts to exploit weak passwords or trick users into accepting authentication requests through fatigue tactics.

Once access is obtained, the threat actors often modify MFA registrations to maintain persistent access. They probe compromised networks for additional credentials and elevated privileges, gathering information that can be sold to cybercriminals. The agencies noted that these findings stem from direct engagements with entities affected by this malicious activity, underscoring the real-world implications of these cyber threats.

Targeting Microsoft 365, Azure, and Citrix

The advisory details how hackers leverage valid user and group email accounts, often acquired through password spraying, to infiltrate systems like Microsoft 365, Azure, and Citrix. In instances where push notification-based MFA is enabled, attackers bombard legitimate users with MFA requests, banking on the likelihood that they will inadvertently accept a request during a moment of distraction.

Once inside, the threat actors take steps to secure their access by registering their devices with MFA, effectively locking out the legitimate user. In confirmed cases, they exploited open MFA registrations to register their devices, ensuring continued access to the compromised environment.

Advanced Techniques and Tools

The sophistication of these attacks is evident in the methods employed by the threat actors. They utilize Remote Desktop Protocol (RDP) for lateral movement within networks and have been observed using Microsoft Word to execute PowerShell commands for launching RDP binaries. Additionally, they perform Kerberos Service Principal Name (SPN) enumeration to gather credentials and leverage publicly available tools, such as DomainPasswordSpray.ps1 from GitHub, to conduct password spraying attacks.

The actors also employ living-off-the-land (LOTL) techniques, utilizing built-in Windows command-line tools to extract information about domain controllers and other critical components of the network infrastructure. Their ability to navigate and exploit Active Directory environments highlights the pressing need for organizations to enhance their security postures.

Indicators of Compromise

To combat these threats, the advisory provides a comprehensive list of indicators of compromise (IoCs) that organizations should monitor. These include:

• Authentication logs revealing login failures of valid accounts.
• Multiple failed authentication attempts across various accounts.
• Suspicious logins from IP addresses that do not align with a user’s geographic location.
• Signs of "impossible travel" where legitimate users are not using VPNs.
• Unusual activity in dormant accounts or privileged accounts following password resets.

Security teams are encouraged to scrutinize processes and command-line arguments that may indicate credential dumping, such as accessing or copying the ntds.dit file from a domain controller.

Malicious File Hashes and Undetected Threats

The advisory also identifies two SHA1 file hashes associated with the campaign, one of which has been undetected by 72 out of 73 security tools prior to the advisory. This highlights a critical gap in current cybersecurity defenses, as even long-standing threats can evade detection.

The first hash, over five years old, raises concerns about the efficacy of existing security measures and the need for continuous updates to threat intelligence databases. Organizations must remain vigilant and proactive in their cybersecurity strategies to counteract these evolving threats.

Conclusion

The Iranian cyber campaign serves as a stark reminder of the persistent and evolving nature of cyber threats facing critical infrastructure. As organizations grapple with these challenges, the emphasis on strong passwords, multi-factor authentication, and continuous monitoring of systems cannot be overstated. By taking proactive measures and staying informed about the latest threat intelligence, organizations can better protect themselves against the growing tide of cybercrime and ensure the integrity of their operations in an increasingly interconnected world.