Iranian Cyber Actors Compromise Critical Infrastructure Through Brute Force and Credential Access Activities | CISA

MITRE Techniques

• [T1589] Gather Victim Identity Information – The actors likely gathered victim information. ‘The actors likely conduct reconnaissance operations to gather victim identity information.’
• [T1588.002] Obtain Capabilities: Tool – The actors obtained a password spray tool through an open-source repository. ‘The actors obtained a password spray tool through an open-source repository.’
• [T1078] Valid Accounts – Password spraying to obtain valid credentials for network access. ‘The actors used password spraying to obtain valid user and group email account credentials, allowing them access to the network.’
• [T1078.004] Valid Accounts: Cloud Accounts – Access via cloud accounts for initial access. ‘The actors used accounts hosted on Microsoft 365, Azure, and Okta cloud environments as additional methods for initial access.’
• [T1133] External Remote Services – Exploiting Citrix external services for initial access. ‘The actors exploited Citrix systems’ external-facing remote services as another method for gaining initial access to the system.’
• [T1059.001] PowerShell – Using PowerShell to maintain and expand access. ‘The actors used PowerShell commands to maintain and expand access.’
• [T1098.005] Account Manipulation: Device Registration – Registering devices to MFA to maintain access. ‘In two confirmed compromises, the actors leveraged a compromised user’s open registration for MFA to register the actor’s own device to access the environment.’
• [T1556] Modify Authentication Process – Public-facing AD Federation Service to reset expired passwords. ‘The actors used a public facing Active Directory Federation Service (ADFS) domain to reset the passwords of expired accounts.’
• [T1556.006] Modify Authentication Process: Multi-Factor Authentication – MFA bypass methods to defeat MFA defenses. ‘MFA bypass method, such as Multi-Factor Authentication Request Generation, providing the ability to modify or completely disable MFA defenses.’
• [T1068] Exploitation for Privilege Escalation – Domain controller impersonation via Netlogon vulnerability CVE-2020-1472. ‘The actors attempted impersonation of the domain controller likely by exploiting CVE-2020-1472, Microsoft’s Netlogon Privilege Escalation vulnerability.’
• [T1484.002] Domain or Tenant Policy Modification: Trust Modification – Reactivating accounts via ADFS password reset tool and MFA enrollment. ‘The actors leveraged a public-facing ADFS password reset tool to reactivate inactive accounts, allowing the actor to authenticate and enroll their devices as any user in the AD managed by the victim tenant.’
• [T1021.001] Remote Desktop Protocol – RDP used for lateral movement; MSTSC launched via Word/PowerShell. ‘The actors used Microsoft Word to open PowerShell to launch the RDP binary mstsc.exe.’
• [T1005] Data from Local System – Downloading files related to remote access and inventory. ‘The actors downloaded files related to remote access methods and the organization’s inventory.’
• [T1071.001] Web Protocols – Outbound connections to Cobalt Strike Beacon C2 via msedge.exe. ‘The actors used msedge.exe to make outbound connections likely to Cobalt Strike Beacon C2 infrastructure.’
• [T1105] Ingress Tool Transfer – Importing a tool from GitHub for password spraying. ‘The actors imported a tool from GitHub and used it to conduct password spraying.’
• [T1572] Protocol Tunneling – VPN usage for targeting. ‘The actors frequently conduct targeting using a virtual private network (VPN).’
• [T1018] Remote System Discovery – LOTL (living off the land) to gather domain controller info. ‘The actors used living off the land (LOTL) to gain knowledge about the target systems and internal networks.’
• [T1069.002] Domain Groups – Discovery of domain admins via LOTL. ‘Permission Groups Discovery: Domain Groups’ (LOTL used to return lists of domain administrators and enterprise administrators).
• [T1069.003] Cloud Groups – Discovery of cloud-admin groups via LOTL. ‘Permission Groups Discovery: Cloud Groups’ (LOTL used to return lists of domain administrators and enterprise administrators).
• [T1082] System Information Discovery – Querying AD for computer display names, OS, and descriptions. ‘System Information Discovery’ with LDAP queries to enumerate computers.
• [T1087.002] Account Discovery: Domain Account – Listing domain admins via LOTL.
• [T1202] Indirect Command Execution – Using Word to start PowerShell to launch commands. ‘Indirect Command Execution’ examples via Word/PowerShell.