Threats Feed|Unknown|Last Updated 24/01/2025|AuthorCertfa Radar|Publish Date16/10/2024

Brute Force and MFA Push Bombing Tactics Used in Iranian Cyber Campaign

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Brute-force,Compromised Credentials,Vulnerability Exploitation,Phishing
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

Iranian cyber actors targeted critical infrastructure sectors in the US, Canada, and Australia, including healthcare, government, energy, and IT organisations. The attackers used password spraying and MFA push bombing to obtain valid accounts and access systems such as Microsoft 365, Azure, and Citrix. They used open source tools to gain access to credentials, including Kerberos SPN enumeration and Active Directory dumps. In some cases, the attackers attempted to exploit the Netlogon vulnerability for privilege escalation. In addition, the actors used discovery techniques using living-off-the-land tools to identify domain controllers, trusted domains and administrative accounts.

Reference and Credit: CISA - October 2024

Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
SectorInformation Technology
Verified
SectorEnergy
Verified
SectorHealthcare
Verified
RegionAustralia
Verified
RegionCanada
Verified
RegionUnited States
Verified

Exploited Vulnerabilities

NIST NVD: CVE-2020-1472

Extracted IOCs

  • 1f96d15b26416b2c7043ee7172357af3afbb002a
  • 3d3cdf7cfc881678febcafb26ae423fe5aa4efec
  • 102[.]129.152.60
  • 102[.]129.153.182
  • 102[.]129.235.127
  • 102[.]129.235.186
  • 102[.]165.16.127
  • 146[.]70.102.3
  • 149[.]40.50.45
  • 149[.]57.16.134
  • 149[.]57.16.137
  • 149[.]57.16.150
  • 149[.]57.16.160
  • 149[.]57.16.37
  • 154[.]16.192.37
  • 154[.]16.192.38
  • 154[.]6.13.139
  • 154[.]6.13.144
  • 154[.]6.13.151
  • 156[.]146.60.74
  • 172[.]98.71.191
  • 173[.]239.232.20
  • 181[.]214.166.132
  • 181[.]214.166.59
  • 188[.]126.89.35
  • 188[.]126.94.166
  • 188[.]126.94.57
  • 188[.]126.94.60
  • 191[.]101.217.10
  • 191[.]96.106.33
  • 191[.]96.150.14
  • 191[.]96.150.21
  • 191[.]96.150.50
  • 191[.]96.150.96
  • 191[.]96.227.102
  • 191[.]96.227.113
  • 191[.]96.227.122
  • 191[.]96.227.159
  • 212[.]102.39.212
  • 212[.]102.57.29
  • 37[.]19.197.182
  • 37[.]46.113.206
  • 45[.]88.97.225
  • 46[.]246.122.185
  • 46[.]246.3.186
  • 46[.]246.3.196
  • 46[.]246.3.223
  • 46[.]246.3.225
  • 46[.]246.3.226
  • 46[.]246.3.233
  • 46[.]246.3.239
  • 46[.]246.3.240
  • 46[.]246.3.245
  • 46[.]246.8.10
  • 46[.]246.8.104
  • 46[.]246.8.137
  • 46[.]246.8.138
  • 46[.]246.8.141
  • 46[.]246.8.17
  • 46[.]246.8.47
  • 46[.]246.8.53
  • 46[.]246.8.67
  • 46[.]246.8.82
  • 46[.]246.8.84
  • 84[.]239.25.13
  • 84[.]239.45.17
  • 89[.]149.38.204
  • 95[.]181.234.12
  • 95[.]181.234.15
  • 95[.]181.234.25
  • 95[.]181.235.8
download

Tip: 71 related IOCs (69 IP, 0 domain, 0 URL, 0 email, 2 file hash) to this threat have been found.

About Affiliation
Unknown
View Unknown's Insights