Brute Force from Iran to Critical Infrastructure

Subject: Brute Force from Iran to Critical Infrastructure

Tactics: TA0001 Initial Access

Technique: T1110.003 Brute Force: Password Spraying, T1589 Gather Victim Identity Information, T1078 Valid Accounts

Procedure:

The threat actors obtain valid user and group email accounts, often through brute force methods like password spraying [T1110.003], to gain initial access to the target’s network.

Vulnerability: EAV0001 When adversaries interact with the environment or personas, they are vulnerable when they collect, observe, or manipulate system artifacts or information. Manipulated data may cause them to reveal behaviors, use additional or more advanced capabilities against the target, and/or impact their dwell time., EAV0002 When adversaries interact with the environment or personas, they are vulnerable to collecting, or in some way interacting with, manipulated or decoy data. In those cases the data may increase their tolerance for imperfections in the environment and improve the overall believability of the ruse.

Engagement Opportunity:

Organizations can deploy a fake network or server that simulates real-world vulnerabilities and human behaviors to engage the Iranian cyber actors, observe their TTPs, and gather intelligence on their tools and techniques.

Threat Actor: Iranian Cyber Actors

Threat Objective:

The actors aim to obtain credentials and network information, which they then sell on cybercriminal forums to other malicious actors.

Deception Opportunity:

Organizations can create a convincing decoy network with fabricated credentials and network information designed to look valuable. This could attract the threat actors, allowing the organization to study their exfiltration methods and potentially disrupt their operations.

Sensor Data Placement: User-Mode

Observable Level: Core to Some Implementations of (Sub-)Technique

Scoring Rationale:

The password spraying technique is core to the sub-technique, but not all implementations. Additionally, the data for this analytic is gathered from the user-level of the operating system, indicating a moderate level of reliability.

Link to Report: https://www.google.com/url?sa=E&source=gmail&q=https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a

Link to Report II.:

Additional Comments:

It is crucial to detect brute force activity by reviewing authentication logs for system and application login failures of valid accounts. Look for multiple, failed authentication attempts across all accounts.

Possible elements: Deceptive User Account with Canary Tokens, Embedded Honeytokens

MSG (Pseudocode):

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# Example: IRANIAN CYBER ACTORS Attack Graph

[1]: Initial Access - Valid Accounts - Obtain valid user and group email accounts [T1078] often through brute force methods [T1110.003] (Core to Some Implementations of (Sub-)Technique)
[2]: Persistence - Account Manipulation - Modify Authentication Process: Multi-Factor Authentication [T1098.005] [T1556.006] (Core to Adversary-Brought Tool)
[3]: Lateral Movement - Remote Services: Remote Desktop Protocol [T1021.001] - Use RDP for lateral movement (Core to Pre-Existing Tool)
[4]: Credential Access - Brute Force: Password Spraying [T1110.003] - Use brute force password spraying (Core to Sub-Technique or Technique)
[5]: Privilege Escalation - Exploitation for Privilege Escalation [T1068] - Exploit Microsoft's Netlogon privilege escalation vulnerability (CVE-2020-1472) (Core to Adversary-Brought Tool)
[6]: Discovery - Remote System Discovery [T1018] - Leverage Living off the Land (LOTL) to gain knowledge about the target systems and internal networks (Core to Some Implementations of (Sub-)Technique)
[7]: Command and Control - Application Layer Protocol: Web Protocols [T1071.001] - Use msedge.exe to make outbound connections likely to Cobalt Strike Beacon C2 infrastructure (Core to Adversary-Brought Tool)
[8]: Exfiltration and Collection - Data from Local System [T1105] - Download files related to gaining remote access to the organization and to the organization's inventory (Core to Sub-Technique or Technique)

1 --> 2 (Lack of Multi-Factor Authentication)
2 --> 3 (Unrestricted RDP Access)
3 --> 4 (Weak Password Policies)
4 --> 5 (Vulnerable Netlogon Service)
5 --> 6 (Unmonitored System Activity)
6 --> 7 (Unrestricted Internet Access)
7 --> 8 (Lack of Data Loss Prevention)

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# Example: IRANIAN CYBER ACTORS Pseudocode

function Initial_Access_Valid_Accounts(target_network):
# Obtain valid user and group email accounts [T1078] often through brute force methods [T1110.003]
# Gain initial access to the target’s network
return persistence_payload

function Persistence_Account_Manipulation(persistence_payload):
# Modify Authentication Process: Multi-Factor Authentication [T1098.005] [T1556.006]
# Establish persistent access
return lateral_movement_module

function Lateral_Movement_Remote_Services(lateral_movement_module):
# Use RDP for lateral movement [T1021.001]
# Move laterally within the network
return credential_access_tool

function Credential_Access_Brute_Force(credential_access_tool):
# Use brute force password spraying [T1110.003]
# Gather additional credentials
return privilege_escalation_exploit

function Privilege_Escalation_Exploitation(privilege_escalation_exploit):
# Exploit Microsoft's Netlogon privilege escalation vulnerability (CVE-2020-1472) [T1068]
# Gain elevated privileges
return discovery_tool

function Discovery_Remote_System(discovery_tool):
# Leverage Living off the Land (LOTL) to gain knowledge about the target systems and internal networks [T1018]
# Gather information about the network
return C2_communication_module

function Command_and_Control_Application_Layer_Protocol(C2_communication_module):
# Use msedge.exe to make outbound connections likely to Cobalt Strike Beacon C2 infrastructure [T1071.001]
# Establish command and control communication
return exfiltration_tool

function Exfiltration_Data_from_Local_System(exfiltration_tool):
# Download files related to gaining remote access to the organization and to the organization's inventory [T1105]
# Exfiltrate data from the network
return success