Iranian Hackers Target Microsoft 365, Citrix Systems with MFA Push Bombing

Iranian Hackers Target Microsoft 365, Citrix Systems with MFA Push Bombing

Iranian hackers are targeting critical infrastructure organizations with brute force tactics. This article explores their techniques, including MFA push bombing and credential theft. Learn how to protect your organization from these advanced threats and implement effective security measures.

A joint cybersecurity advisory issued by CISA, FBI, NSA, and international partners warns critical infrastructure organizations about Iranian hackers targeting their networks. These threat actors gain unauthorized access to critical infrastructure across various sectors, including healthcare, government, IT, engineering, and energy.

The attackers primarily rely on brute force tactics like password spraying exploiting common password combinations across multiple accounts to gain access. However, they also employ other methods for initial compromise, which are currently unknown.

According to the advisory, hackers have been using valid email accounts, often obtained through brute force, to gain initial access to Microsoft 365, Azure, and Citrix systems. In some instances, the actors exploit vulnerabilities in multi-factor authentication (MFA) by bombarding users with login requests until they accidentally approve access. This technique is known as “MFA fatigue” or “push bombing.”

In two confirmed cases, attackers exploited a compromised user’s open MFA registration and a self-service password reset tool linked to a public-facing Active Directory Federation Service. These threat actors may also take advantage of expired passwords or compromised accounts to gain initial access.

Credential Theft and Maintaining Persistence:

Once inside the network, the Iranian actors take steps to maintain persistent access. This often involves registering their own devices with MFA using compromised accounts to maintain access even if the legitimate user’s password is changed.

In addition, they leverage techniques like Remote Desktop Protocol (RDP) to move laterally within the network, allowing them to access additional resources and potentially escalate privileges.

The attackers utilize various methods to steal additional credentials within the network. This may involve using open-source tools to harvest credentials or exploiting vulnerabilities to access Active Directory information. They may also attempt to escalate privileges, potentially granting them higher levels of control within the system. This could allow them to manipulate or disrupt critical systems.

Living off the Land (LOTL): 

Iranian threat actors leverage legitimate system tools and techniques to gather information about the network and identify valuable targets. This approach, known as “living off the land,” allows them to evade detection by appearing as legitimate users.

The actors can use various Windows command-line tools to gather information about domain controllers, trusted domains, and user accounts. Additionally, they may use specific queries to search Active Directory for detailed information about network devices.

Avishai Avivi, CISO at SafeBreach, emphasizes that the CISA alert on Iranian cyber actors is a timely reminder, especially during cybersecurity awareness month, about the abuse of “MFA Exhaustion.” He warns that malicious actors hope users will mindlessly approve MFA requests. Avivi advises users to always verify MFA prompts to ensure they initiated the session, as attackers frequently test stolen credentials and aim to exploit MFA fatigue. Although the alert focuses on critical infrastructure, this diligence applies to protecting both personal and work accounts.

The End Goal

The primary goal of this campaign is believed to be credential theft and information gathering. Once they gain access, they can steal user credentials and internal network information. They may download files related to gaining remote access to the organization or its inventory. This information could then be used for further malicious activity such as data exfiltration or sold on cybercriminal forums.

The advisory recommends critical infrastructure organizations implement strong password policies and enforce multi-factor authentication (MFA) for all user accounts, and MFA settings should be regularly reviewed to prevent vulnerabilities.

  1. Censys Uncovers Hidden Infrastructure of Iranian Fox Kitten Group
  2. Iran’s MuddyWater APT Hits Saudis, Israelis with BugSleep Backdoor
  3. Iranian State Hackers Team Up with Ransomware Gangs to Attack US
  4. Dutch Man Deployed Stuxnet via Water Pump to Disable Iran’s Nukes
  5. Iran’s Peach Sandstorm Deploy FalseFont Backdoor in Defense Sector

Total
1
Shares
Related Posts