On October 16th, 2024, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Communications Security Establishment Canada (CSE), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD) jointly issued an urgent advisory [1]. This warning highlighted ongoing cyber activities by Iranian cyber actors targeting critical infrastructure across sectors like healthcare and public health (HPH), government, energy, and information technology. Iranian actors have been observed using brute force and multifactor authentication (MFA) push-bombing techniques to gain unauthorized access to organizational networks.
In this blog, we will discuss the tactics, techniques, and procedures (TTPs) used by Iranian cyber actors, and demonstrate how even long-disclosed vulnerabilities (CVE-2020-1472) with available patches can still be exploited to elevate privileges in compromised environments. This highlights the critical importance of continuous exposure management, particularly for industries handling sensitive or critical infrastructure.
Simulate State-Sponsored Cyber Threats with 14-Day Free Trial of Picus Platform
Iranian cyber actors have been linked to a range of offensive cyber operations, particularly focusing on compromising critical infrastructure sectors worldwide. These actors are known for using techniques like brute force attacks and multifactor authentication (MFA) push-bombing to gain unauthorized access to networks. Once inside, they perform credential harvesting, lateral movement, and privilege escalation to maintain persistent access and further compromise their targets. They also exploit vulnerabilities such as Microsoft’s ZeroLogon (CVE-2020-1472) to elevate privileges [1].
These highly coordinated cyber campaigns target sectors like healthcare, government, energy, and technology. Their actions serve to destabilize critical services, steal sensitive information, and potentially disrupt the operations of essential infrastructure to advance Iran’s geopolitical goals by creating economic and political instability in the regions they target.
The group’s campaigns extend across North America, Europe, and the Middle East, with their primary focus being to steal credentials and compromise services, leveraging built-in tools to move laterally and gather sensitive data from compromised networks.
Iranian cyber actors employ a systematic and highly organized approach to infiltrating and exploiting victim networks. Below is a summary of key TTPs observed in their operations, as mapped to the MITRE ATT&CK framework.
T1589 - Gathering Victim Identity Information
The attackers actively collected valid account credentials of potential targets, which they later used in brute-force or credential-stuffing attacks. By harvesting this identity information, the adversaries positioned themselves to launch unauthorized access attempts against critical systems.
T1078 - Valid Accounts
The attackers utilized password spraying to compromise valid user and group email credentials, providing them with unauthorized access to organizational networks.
T1078.004 - Valid Accounts: Cloud Accounts
In addition to local network access, the attackers targeted cloud environments such as Microsoft 365, Azure, and Okta by exploiting compromised accounts, allowing them to establish a foothold across multiple platforms.
T1133 - External Remote Services
They also took advantage of vulnerable, externally facing remote services, particularly in Citrix systems, to breach network perimeters and expand their access.
T1059.001 - Command and Scripting Interpreter: PowerShell
The attackers employed PowerShell commands to sustain and broaden their access within the network. Some of the specific PowerShell commands utilized by the adversaries are detailed in the Discovery section below.
In this section, there are two different persistent attack techniques observed in two different compromised environments.
T1556.006 - Modify Authentication Process: Multi-Factor Authentication
In one incident, attackers took advantage of a compromised user's open registration for Multi-Factor Authentication (MFA). Once inside the environment, they leveraged the compromised account’s ability to register MFA, effectively granting themselves persistent access. This tactic allowed them to bypass future login challenges by binding their own authentication tokens to the compromised account
T1098.005 - Device Registration
Next, adversaries registered their own devices to the compromised MFA system, further reinforcing their foothold. By associating trusted devices with the MFA process, they could access the environment repeatedly without triggering security alerts.
T1556 - Modify Authentication Process
In a separate case, attackers exploited a Self-Service Password Reset (SSPR) tool that was linked to an externally accessible Active Directory Federation Service (ADFS) (ATT&CK T1484.002). After gaining initial access, they registered MFA through Okta for accounts that didn’t already have MFA enabled. This technique allowed them to modify the authentication process, thereby granting themselves continued access while also making it harder for legitimate users or security teams to revoke their control.
T1068 - Exploitation of Zerologon (CVE-2020-1472)
The attackers exploited the Zerologon vulnerability (CVE-2020-1472), a critical flaw in Microsoft’s Netlogon Remote Protocol [1]. This vulnerability allows an unauthenticated attacker to impersonate the domain controller and escalate their privileges by establishing a connection using weak cryptographic algorithms.
Despite being disclosed in August 2020 and receiving patches, Zerologon continues to be exploited in the wild. This highlights the importance of continuous exposure management, as threat actors target unpatched systems or environments lacking robust defenses against such vulnerabilities.
T1110.003 - Brute Force: Password Spraying
The attackers leveraged an open-source tool, DomainPasswordSpray.ps1, which they imported from GitHub (ATT&CK T1105) to carry out password spraying attacks [1].
This technique involved systematically attempting commonly used passwords across numerous accounts, targeting applications like Single Sign-On (SSO) for Microsoft Office 365.
T1558.003 - Steal of Forge Kerberos Tickets: Kerberoasting
The attackers utilized open-source tools to carry out Kerberos Service Principal Name (SPN) enumeration on multiple service accounts, obtaining Kerberos tickets encrypted with the weaker Rivest Cipher 4 (RC4) algorithm. RC4, despite being deprecated due to its vulnerabilities, is still used in many environments, making it an attractive target for attackers. The tickets encrypted with RC4 are easier to crack offline, allowing threat actors to extract credentials and escalate privileges.
T1555 - Credentials from Password Stores
Attackers utilized the Cmdkey command to extract stored credentials from password stores. By executing the following command, the adversaries were able to display saved usernames and credentials cached in the system, which could then be leveraged for further unauthorized access.
|
Cmdkey /list |
T1621 - Multi-Factor Authentication Request Generation
In some observed attacks, adversaries exploited push notification-based MFA by flooding legitimate users with repeated MFA requests, a tactic known as "MFA fatigue" or "push bombing". The attackers continuously sent MFA requests to the target’s mobile device, hoping that the overwhelmed or frustrated user would eventually approve the request either by mistake or simply to stop the barrage of notifications. Once the request is approved, the attackers gain unauthorized access, bypassing MFA protections.
This technique relies on exploiting human behavior rather than technical vulnerabilities, making it a potent method for compromising accounts.
T1021.001 - Remote Desktop Protocol (RDP)
Adversaries used a creative method to execute RDP by leveraging Microsoft Word as a launch point.
Specifically, they embedded a malicious script within a Word document that, when opened, invoked PowerShell. The PowerShell script then launched the RDP client binary (mstsc.exe) to establish a remote connection.
The attackers employed Living off the Land (LOTL) techniques to gather information about the target environment, using built-in tools to discover key information about systems and networks.
T1018 - Remote System Discovery
The adversaries used the Nltest command to identify domain controllers and enumerate trusted domains [1]. This enabled the attackers to map out the network's domain infrastructure for further exploitation.
|
Nltest /dclist #list domain controllers |
T1069.002 - Permission Groups Discovery: Domain Groups
To identify privileged accounts, the attackers leveraged the Net group command to enumerate members of high-privilege groups such as "Enterprise Admins" and "Domain Admins" [1].
|
Net group "Enterprise admins" /domain |
T1059.001 - PowerShell LDAP Query
Furthering their discovery efforts, the actors used PowerShell to query Active Directory (AD) via Lightweight Directory Access Protocol (LDAP). The following script was used to search for computers in the directory, retrieving their display names, operating systems, and distinguished names [1].
This allowed the attackers to identify key systems, particularly servers running specific operating systems, which could be targeted for deeper access:
|
$i=0 |
T1071.001 - Application Layer Protocol: Web Protocols
The attackers used msedge.exe to create outbound connections to Cobalt Strike Beacon command and control (C2) infrastructure, blending malicious traffic with legitimate web traffic to avoid detection. By using web protocols, they masked their activities within normal network traffic, complicating defensive efforts.
T1572 - Protocol Tunneling
The attackers also relied on virtual private network (VPN) services to tunnel their activity and obfuscate the origin of their connections. Several of the malicious IP addresses used by the attackers were linked to exit nodes of the Private Internet Access VPN service.
T1005 - Data from Local System
Attackers accessed victim accounts and downloaded files related to remote access and the organization's inventory. These files were likely exfiltrated to maintain persistence in the network or to sell the information on underground markets.
[1] "Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations," Cybersecurity and Infrastructure Security Agency CISA. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a