Iranian Cyber Actors Use Brute Force to Compromise Critical Infrastructure Organizations

    Thursday, October 17, 2024 In: Threat Research Print

    Date: 10/17/2024

    Severity: High

    Summary

    A joint advisory from various U.S. and Canadian cybersecurity agencies warns that Iranian cyber actors are using brute force techniques, including password spraying and multifactor authentication (MFA) ‘push bombing,’ to compromise organizations in critical infrastructure sectors such as healthcare, government, and energy. These actors modify MFA registrations for persistent access and conduct network discovery to gather additional credentials. The information they obtain is likely sold on cybercriminal forums for further malicious activities.

    Indicators of Compromise (IOC) List

    IP Address

    95.181.234.12

    95.181.234.25

    173.239.232.20

    172.98.71.191

    102.129.235.127

    188.126.94.60

    149.40.50.45

    181.214.166.59

    212.102.39.212

    149.57.16.134

    149.57.16.137

    102.129.235.186

    46.246.8.138

    149.57.16.160

    149.57.16.37

    46.246.8.137

    212.102.57.29

    46.246.8.82

    95.181.234.15

    45.88.97.225

    84.239.45.17

    46.246.8.104

    37.46.113.206

    46.246.3.186

    46.246.8.141

    46.246.8.17

    37.19.197.182

    154.16.192.38

    102.165.16.127

    46.246.8.47

    46.246.3.225

    46.246.3.226

    46.246.3.240

    191.101.217.10

    102.129.153.182

    46.246.3.196

    102.129.152.60

    156.146.60.74

    191.96.227.113

    191.96.227.122

    181.214.166.132

    188.126.94.57

    154.6.13.144

    154.6.13.151

    188.126.94.166

    89.149.38.204

    46.246.8.67

    46.246.8.53

    154.16.192.37

    191.96.150.14

    191.96.150.96

    46.246.8.10

    84.239.25.13

    154.6.13.139

    191.96.106.33

    191.96.227.159

    149.57.16.150

    191.96.150.21

    46.246.8.84

    95.181.235.8

    191.96.227.102

    46.246.122.185

    146.70.102.3

    46.246.3.233

    46.246.3.239

    188.126.89.35

    46.246.3.223

    46.246.3.245

    191.96.150.50

    Hash

    1F96D15B26416B2C7043EE7172357AF3AFBB002A

3D3CDF7CFC881678FEBCAFB26AE423FE5AA4EFEC

    Devices

    Samsung Galaxy A71 (SM-A715F)
    Samsung SM-G998B
    Samsung SM-M205F

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    dstipaddress IN ("95.181.234.12","95.181.234.25","173.239.232.20","172.98.71.191","102.129.235.127","188.126.94.60","149.40.50.45","181.214.166.59","212.102.39.212","149.57.16.134","149.57.16.137","102.129.235.186","46.246.8.138","149.57.16.160","149.57.16.37","46.246.8.137","212.102.57.29","46.246.8.82","95.181.234.15","45.88.97.225","84.239.45.17","46.246.8.104","37.46.113.206","46.246.3.186","46.246.8.141","46.246.8.17","37.19.197.182","154.16.192.38","102.165.16.127","46.246.8.47","46.246.3.225","46.246.3.226","46.246.3.240","191.101.217.10","102.129.153.182","46.246.3.196","102.129.152.60","156.146.60.74","191.96.227.113","191.96.227.122","181.214.166.132","188.126.94.57","154.6.13.144","154.6.13.151","188.126.94.166","89.149.38.204","46.246.8.67","46.246.8.53","154.16.192.37","191.96.150.14","191.96.150.96","46.246.8.10","84.239.25.13","154.6.13.139","191.96.106.33","191.96.227.159","149.57.16.150","191.96.150.21","46.246.8.84","95.181.235.8","191.96.227.102","46.246.122.185","146.70.102.3","46.246.3.233","46.246.3.239","188.126.89.35","46.246.3.223","46.246.3.245","191.96.150.50") or ipaddress IN ("95.181.234.12","95.181.234.25","173.239.232.20","172.98.71.191","102.129.235.127","188.126.94.60","149.40.50.45","181.214.166.59","212.102.39.212","149.57.16.134","149.57.16.137","102.129.235.186","46.246.8.138","149.57.16.160","149.57.16.37","46.246.8.137","212.102.57.29","46.246.8.82","95.181.234.15","45.88.97.225","84.239.45.17","46.246.8.104","37.46.113.206","46.246.3.186","46.246.8.141","46.246.8.17","37.19.197.182","154.16.192.38","102.165.16.127","46.246.8.47","46.246.3.225","46.246.3.226","46.246.3.240","191.101.217.10","102.129.153.182","46.246.3.196","102.129.152.60","156.146.60.74","191.96.227.113","191.96.227.122","181.214.166.132","188.126.94.57","154.6.13.144","154.6.13.151","188.126.94.166","89.149.38.204","46.246.8.67","46.246.8.53","154.16.192.37","191.96.150.14","191.96.150.96","46.246.8.10","84.239.25.13","154.6.13.139","191.96.106.33","191.96.227.159","149.57.16.150","191.96.150.21","46.246.8.84","95.181.235.8","191.96.227.102","46.246.122.185","146.70.102.3","46.246.3.233","46.246.3.239","188.126.89.35","46.246.3.223","46.246.3.245","191.96.150.50") or publicipaddress IN ("95.181.234.12","95.181.234.25","173.239.232.20","172.98.71.191","102.129.235.127","188.126.94.60","149.40.50.45","181.214.166.59","212.102.39.212","149.57.16.134","149.57.16.137","102.129.235.186","46.246.8.138","149.57.16.160","149.57.16.37","46.246.8.137","212.102.57.29","46.246.8.82","95.181.234.15","45.88.97.225","84.239.45.17","46.246.8.104","37.46.113.206","46.246.3.186","46.246.8.141","46.246.8.17","37.19.197.182","154.16.192.38","102.165.16.127","46.246.8.47","46.246.3.225","46.246.3.226","46.246.3.240","191.101.217.10","102.129.153.182","46.246.3.196","102.129.152.60","156.146.60.74","191.96.227.113","191.96.227.122","181.214.166.132","188.126.94.57","154.6.13.144","154.6.13.151","188.126.94.166","89.149.38.204","46.246.8.67","46.246.8.53","154.16.192.37","191.96.150.14","191.96.150.96","46.246.8.10","84.239.25.13","154.6.13.139","191.96.106.33","191.96.227.159","149.57.16.150","191.96.150.21","46.246.8.84","95.181.235.8","191.96.227.102","46.246.122.185","146.70.102.3","46.246.3.233","46.246.3.239","188.126.89.35","46.246.3.223","46.246.3.245","191.96.150.50") or srcipaddress IN ("95.181.234.12","95.181.234.25","173.239.232.20","172.98.71.191","102.129.235.127","188.126.94.60","149.40.50.45","181.214.166.59","212.102.39.212","149.57.16.134","149.57.16.137","102.129.235.186","46.246.8.138","149.57.16.160","149.57.16.37","46.246.8.137","212.102.57.29","46.246.8.82","95.181.234.15","45.88.97.225","84.239.45.17","46.246.8.104","37.46.113.206","46.246.3.186","46.246.8.141","46.246.8.17","37.19.197.182","154.16.192.38","102.165.16.127","46.246.8.47","46.246.3.225","46.246.3.226","46.246.3.240","191.101.217.10","102.129.153.182","46.246.3.196","102.129.152.60","156.146.60.74","191.96.227.113","191.96.227.122","181.214.166.132","188.126.94.57","154.6.13.144","154.6.13.151","188.126.94.166","89.149.38.204","46.246.8.67","46.246.8.53","154.16.192.37","191.96.150.14","191.96.150.96","46.246.8.10","84.239.25.13","154.6.13.139","191.96.106.33","191.96.227.159","149.57.16.150","191.96.150.21","46.246.8.84","95.181.235.8","191.96.227.102","46.246.122.185","146.70.102.3","46.246.3.233","46.246.3.239","188.126.89.35","46.246.3.223","46.246.3.245","191.96.150.50")

    Detection Query 2

    sha1hash IN ("1F96D15B26416B2C7043EE7172357AF3AFBB002A","3D3CDF7CFC881678FEBCAFB26AE423FE5AA4EFEC")

    Detection Query 3

    Device IN ("Samsung Galaxy A71 (SM-A715F)","Samsung SM-G998B","Samsung SM-M205F")

    Reference: 

    https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a


    Tags

    CISAIranCredentialTheftGovernment Services and FacilitiesHealthcare and Public HealthEnergy

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.