One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8599427 |
| Date de publication | 2024-10-17 21:12:38 (vue: 2024-10-17 21:16:39) |
| Titre | Les cyber-acteurs iraniens \\ 'Force brute et l'activité d'accès aux informations d'identification compromettent les organisations d'infrastructures critiques Iranian Cyber Actors\\' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations |
| Texte | ## Snapshot The FBI, CISA, NSA, CSE, AFP, and ASD\'s ACSC released a joint cybersecurity advisory regarding Iranian cyber actors that have been actively targeting organizations across various critical infrastructure sectors, including healthcare, public health, government, IT, engineering, and energy, since October 2023. They have gained unauthorized access to networks by employing brute force attacks, such as password spraying, and exploiting multifactor authentication (MFA) through tactics like \'push bombing\' and \'MFA fatigue.\' ## Description These actors initially infiltrate networks using valid user and group email accounts, often targeting Microsoft 365, Azure, Citrix, and Okta systems, and sometimes exploiting external-facing remote services. Once inside, they maintain persistence by registering their devices for MFA and manipulating accounts and authentication processes. For lateral movement within networks, the actors use Remote Desktop Protocol (RDP) and employ open-source tools for credential access, including Kerberos ticket enumeration and password spraying. They attempt privilege escalation by exploiting vulnerabilities such as Zerologon (CVE-2020-1472) and impersonating domain controllers. The actors also perform discovery using living-off-the-land (LOTL) techniques and PowerShell to gather information about domain controllers, trusted domains, administrator accounts, and system information. Command and control activities are conducted using web protocols, with tools like Cobalt Strike Beacon C2 infrastructure, and they frequently use VPNs, such as Private Internet Access, to mask their activities. The advisory notes that some of the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) may be tied to third-party actors who purchased access from the Iranian group, cautioning against attributing all activity to the Iranian actors based solely on TTPs and IOCs. Specific hashes and a range of IP addresses have been associated with this malicious activity, with the understanding that these IPs may host valid domains and are often changed by cyber actors. Devices such as the Samsung Galaxy A71 (SM-A715F), Samsung SM-G998B, and Samsung SM-M205F have been registered with MFA in relation to these activities. ## Recommendations Recommendations to help prevent Kerberoasting from succeeding Microsoft recommends that IT administrators take the following steps to help harden their environments against Kerberoasting: - Use Group Managed Service Accounts (gMSA) or Delegated Managed Service Accounts (dMSA) wherever possible: - These accounts are ideal for multi-server applications that require centralized credential management and enhanced security against credential-based attacks, such as IIS, SQL Server, or other Windows services running in a domain-joined environment. - [Group Managed Service Account (gMSA)](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/group-managed-service-accounts/group-managed-service-accounts/group-managed-service-accounts-overview) is an Active Directory account type that allows multiple servers or services to use the same account with automatic password management and simplified SPN handling. Passwords for gMSAs are 120 characters long, complex, and randomly generated, making them highly resistant to brute-force cyberattacks using currently known methods. - [Delegated Managed Service Accounts (dMSA)](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/delegated-managed-service-accounts/delegated-managed-service-accounts-overview) are the newest iteration of managed service accounts available on Windows Server 2025. Like gMSAs, they restrict which machines can make use of the accounts and they provide the same password mitigations against Keberoasting. However, unlike gMSAs, dMSAs have the added benefit of supporting seamless migration of standalone service accounts with passwords to the dMSA account type. They can also be optionally integrat |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | **© 10/security/threat 120 128 1472 2020 2023 2024 2024** 2025 24h2 256 290a 365 a71 a715f about access accessed account accounts accounts/delegated accounts/group accounts: across acsc active actively activities activity actors added addresses administrator administrators advanced advisories/aa24 advisory aes afp after against all allowed allows alone also any applications applies are asd associated attacks attempt attributing audit audited authentication automatic available azure ban based beacon been benefit better bit bombing brute can cannot cautioning centralized change changed character characters cisa citrix cobalt com/en com/t5/core combination command commonly community complex compromise compromised compromises conducted configure configured configuring content control controllers copyright credential credentials critical cse currently customers cve cyber cyberattack cyberattacks cybersecurity decrypting default delegated description desktop devices directory disable disabling discovery distribution dmsa dmsas domain domains ds/manage/delegated ds/manage/group email employ employing encrypted encryption encryption: energy enforcing engineering enhanced ensure enumeration environment environments escalation even events/cybersecurity exploiting external facing fatigue fbi following force forced forcing frequently from future g998b gained galaxy gather generated generating gmsa gmsas gov/news government group guard guidance handling harden hardening hashes have health healthcare help highly host however https://learn https://techcommunity https://www hub ideal iis impersonating including indicators infiltrate information infrastructure initially inside integrated intend internet inventory iocs ips iranian iteration joined joint keberoasting kerberoasting kerberoasting/ kerberoasting: kerberos known land lateral learn least like living long longer lotl m205f machines maintain make making malicious managed management manipulating manually mask may methods mfa microsoft migration minimum mitigate mitigations more movement msockid=2ce2bc7d4e1e6d6a096ba8594f906c6a multi multifactor multiple needed needs network networks newest normal not notes nsa october off often okta once open optionally organizations other overview p/1628797 part party password passwords perform permission persistence please policy possible possible: powershell prevent private privilege pro/windows procedures processes prohibited protected protection protection/security protocol protocols provide public purchased push randomly range rc4 rdp recommend recommendation recommendations recommended recommends reduce references regarding registered registering relation released remain remediated remote removed reproduction require reserved resistant restrict rights running same samsung seamless sectors security security/decrypting selection series server server/identity/ad servers service services set setting settings/network should simplified since site snapshot solely solution some sometimes source specific spn spns spns: spraying sql standalone standard steps strike strong succeeding such supported supporting sure surface system systems tactics take targeting techniques them then thereof these third through ticket tied tools trusted ttps type types types/ba unauthorized understanding unlike update updated updates updating us/previous us/security/blog/2024/10/11/microsofts us/windows use used user using valid various versions/windows/it visit: vpns vulnerabilities vulnerable weak web where wherever which who will windows within without written zerologon |
| Tags | Tool Vulnerability Medical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.