{
	"id": "4f1bd572-a9eb-47ef-ab4d-aece0696c53e",
	"created_at": "2026-04-06T01:32:32.534994Z",
	"updated_at": "2026-04-10T03:21:01.234759Z",
	"deleted_at": null,
	"sha1_hash": "01303215802cb3abb59cee71d5effa60d6833873",
	"title": "Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 161138,
	"plain_text": "Iranian Cyber Actors’ Brute Force and Credential Access Activity\r\nCompromises Critical Infrastructure Organizations | CISA\r\nPublished: 2024-10-16 · Archived: 2026-04-06 00:16:25 UTC\r\nSummary\r\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the\r\nNational Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian\r\nFederal Police (AFP), and Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) are\r\nreleasing this joint Cybersecurity Advisory to warn network defenders of Iranian cyber actors’ use of brute force\r\nand other techniques to compromise organizations across multiple critical infrastructure sectors, including the\r\nhealthcare and public health (HPH), government, information technology, engineering, and energy sectors. The\r\nactors likely aim to obtain credentials and information describing the victim’s network that can then be sold to\r\nenable access to cybercriminals.\r\nSince October 2023, Iranian actors have used brute force, such as password spraying, and multifactor\r\nauthentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations. The actors\r\nfrequently modified MFA registrations, enabling persistent access. The actors performed discovery on the\r\ncompromised networks to obtain additional credentials and identify other information that could be used to gain\r\nadditional points of access. The authoring agencies assess the Iranian actors sell this information on cybercriminal\r\nforums to actors who may use the information to conduct additional malicious activity.\r\nThis advisory provides the actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise\r\n(IOCs). The information is derived from FBI engagements with entities impacted by this malicious activity.\r\nThe authoring agencies recommend critical infrastructure organizations follow the guidance provided in the\r\nMitigations section. At a minimum, organizations should ensure all accounts use strong passwords and register a\r\nsecond form of authentication.\r\nDownload the PDF version of this report:\r\nFor a downloadable list of IOCs, see:\r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 15. See the MITRE\r\nATT\u0026CK Tactics and Techniques section in Appendix A for a table of the actors’ activity mapped to MITRE\r\nATT\u0026CK tactics and techniques.\r\nOverview of Activity\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 1 of 13\n\nThe actors likely conduct reconnaissance operations to gather victim identity [T1589 ] information. Once\r\nobtained, the actors gain persistent access to victim networks frequently via brute force [T1110 ]. After gaining\r\naccess, the actors use a variety of techniques to further gather credentials, escalate privileges, and gain information\r\nabout the entity’s systems and network. The actors also move laterally and download information that could assist\r\nother actors with access and exploitation.\r\nInitial Access and Persistence\r\nThe actors use valid user and group email accounts [T1078 ], frequently obtained via brute force such as\r\npassword spraying [T1110.003 ] although other times via unknown methods, to obtain initial access to Microsoft\r\n365, Azure [T1078.004 ], and Citrix systems [T1133 ]. In some cases where push notification-based MFA was\r\nenabled, the actors send MFA requests to legitimate users seeking acceptance of the request. This technique—\r\nbombarding users with mobile phone push notifications until the user either approves the request by accident or\r\nstops the notifications— is known as “MFA fatigue” or “push bombing” [T1621 ].\r\nOnce the threat actors gain access to an account, they frequently register their devices with MFA to protect their\r\naccess to the environment via the valid account:\r\nIn two confirmed compromises, the actors leveraged a compromised user’s open registration for MFA\r\n[T1556.006 ] to register the actor’s own device [T1098.005 ] to access the environment.\r\nIn another confirmed compromise, the actors used a self-service password reset (SSPR) tool associated\r\nwith a public facing Active Directory Federation Service (ADFS) to reset the accounts with expired\r\npasswords [T1484.002 ] and then registered MFA through Okta for compromised accounts without MFA\r\nalready enabled [T1556 ] [T1556.006 ].\r\nThe actors frequently conduct their activity using a virtual private network (VPN) service [T1572 ]. Several of\r\nthe IP addresses in the actors’ malicious activity originate from exit nodes tied to the Private Internet Access VPN\r\nservice.\r\nLateral Movement\r\nThe actors use Remote Desktop Protocol (RDP) for lateral movement [T1021.001 ]. In one instance, the actors\r\nused Microsoft Word to open PowerShell to launch the RDP binary  mstsc.exe [T1202 ].\r\nCredential Access\r\nThe actors likely use open-source tools and methodologies to gather more credentials. The actors performed\r\nKerberos Service Principal Name (SPN) enumeration of several service accounts and received Kerberos tickets\r\n[T1558.003 ]. In one instance, the actors used the Active Directory (AD) Microsoft Graph Application Program\r\nInterface (API) PowerShell application likely to perform a directory dump of all AD accounts. Also, the actors\r\nimported the tool [T1105 ] DomainPasswordSpray.ps1 , which is openly available on GitHub [T1588.002 ],\r\nlikely to conduct password spraying. The actors also used the command Cmdkey /list , likely to display\r\nusernames and credentials [T1555 ].\r\nPrivilege Escalation\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 2 of 13\n\nIn one instance, the actors attempted impersonation of the domain controller, likely by exploiting Microsoft’s\r\nNetlogon (also known as ”Zerologon”) privilege escalation vulnerability (CVE-2020-1472) [T1068 ].\r\nDiscovery\r\nThe actors leverage living off the land (LOTL) to gain knowledge about the target systems and internal networks.\r\nThe actors used the following Windows command-line tools to gather information about domain controllers\r\n[T1018 ], trusted domains [T1482 ], lists of domain administrators, and enterprise administrators [T1087.002\r\n] [T1069.002 ] [T1069.003 ]:\r\nNltest /dclist\r\nNltest /domain_trusts\r\nNltest /domain_trusts /all_trusts\r\nNet group “Enterprise admins” /domain\r\nNet group “Domain admins” /domain\r\nNext, the actors used the following Lightweight Directory Access Protocol (LDAP) query in PowerShell\r\n[T1059.001 ]to search the AD for computer display names, operating systems, descriptions, and distinguished\r\nnames [T1082 ].\r\n                                           $i=0\r\n                                           $D= [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()\r\n                                           $L='LDAP://' . $D\r\n                                           $D = [ADSI]$L\r\n                                           $Date = $((Get-Date).AddDays(-90).ToFileTime())\r\n                                           $str = '(\u0026(objectcategory=computer)(operatingSystem=*serv*)(|\r\n(lastlogon\u003e='+$Date+')(lastlogontimestamp\u003e='+$Date+')))'\r\n                                           $s = [adsisearcher]$str\r\n                                           $s.searchRoot = $L.$D.distinguishedName\r\n                                           $s.PropertiesToLoad.Add('cn') \u003e $Null\r\n                                           $s.PropertiesToLoad.Add('operatingsystem') \u003e $Null\r\n                                           $s.PropertiesToLoad.Add('description') \u003e $Null\r\n                                           $s.PropertiesToLoad.Add('distinguishedName') \u003e $Null\r\n                                           Foreach ($CA in $s.FindAll()) {\r\n                                                         Write-Host $CA.Properties.Item('cn')\r\n                                                         $CA.Properties.Item('operatingsystem')\r\n                                                         $CA. Properties.Item('description')\r\n                                                         $CA.Properties.Item('distinguishedName')\r\n                                                         $i++\r\n                                           }\r\n                                           Write-host Total servers: $i\r\nCommand and Control\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 3 of 13\n\nOn one occasion, using msedge.exe, the actors likely made outbound connections to Cobalt Strike Beacon\r\ncommand and control (C2) infrastructure [T1071.001 ].\r\nExfiltration and Collection\r\nIn a couple instances, while logged in to victim accounts, the actors downloaded files related to gaining remote\r\naccess to the organization and to the organization’s inventory [T1005 ], likely exfiltrating the files to further\r\npersist in the victim network or to sell the information online.\r\nDetection\r\nTo detect brute force activity, the authoring agencies recommend reviewing authentication logs for system and\r\napplication login failures of valid accounts and looking for multiple, failed authentication attempts across all\r\naccounts.\r\nTo detect the use of compromised credentials in combination with virtual infrastructure, the authoring agencies\r\nrecommend the following steps:\r\nLook for “impossible logins,” such as suspicious logins with changing usernames, user agent strings, and\r\nIP address combinations or logins where IP addresses do not align to the user’s expected geographic\r\nlocation.\r\nLook for one IP used for multiple accounts, excluding expected logins.\r\nLook for “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses with\r\nsignificant geographic distance (i.e., a person could not realistically travel between the geographic\r\nlocations of the two IP addresses during the period between the logins). Note: Implementing this detection\r\nopportunity can result in false positives if legitimate users apply VPN solutions before connecting into\r\nnetworks.\r\nLook for MFA registrations with MFA in unexpected locales or from unfamiliar devices.\r\nLook for processes and program execution command-line arguments that may indicate credential dumping,\r\nespecially attempts to access or copy the  ntds.dit file from a domain controller.\r\nLook for suspicious privileged account use after resetting passwords or applying user account mitigations.\r\nLook for unusual activity in typically dormant accounts.\r\nLook for unusual user agent strings, such as strings not typically associated with normal user activity,\r\nwhich may indicate bot activity.\r\nMitigations\r\nThe authoring agencies recommend organizations implement the mitigations below to improve organizations’\r\ncybersecurity posture based on the actors’ TTPs described in this advisory. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA. The CPGs, which are organized to align to\r\nthe National Institute of Standards and Technology (NIST) Cybersecurity Framework, are a subset of\r\ncybersecurity practices, aimed at meaningfully reducing risks to both critical infrastructure operations and the\r\nAmerican people. These voluntary CPGs strive to help small- and medium-sized organizations kick-start their\r\ncybersecurity efforts by prioritizing investment in a limited number of essential actions with high-impact security\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 4 of 13\n\noutcomes. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more information on the CPGs,\r\nincluding additional recommended baseline protections.\r\nReview IT helpdesk password management related to initial passwords, password resets for user lockouts,\r\nand shared accounts. IT helpdesk password procedures may not align to company policy for user\r\nverification or password strength, creating a security gap. Avoid common passwords (e.g. “Spring2024” or\r\n“Password123!”).\r\nDisable user accounts and access to organizational resources for departing staff [CPG 2.D]. Disabling\r\naccounts can minimize system exposure, removing options actors can leverage for entry into the system.\r\nSimilarly, create new user accounts as close as possible to an employee’s start date.\r\nImplement phishing-resistant MFA [CPG 2.H]. See CISA’s resources Phishing-Resistant Multifactor\r\nAuthentication and More than a Password for additional information on strengthening user credentials.\r\nContinuously review MFA settings to ensure coverage over all active, internet-facing protocols to ensure\r\nno exploitable services are exposed [CPG 2.W].\r\nProvide basic cybersecurity training to users [CPG 2.I] covering concepts such as:\r\nDetecting unsuccessful login attempts [CPG 2.G].\r\nHaving users deny MFA requests they have not generated.\r\nEnsuring users with MFA-enabled accounts have MFA set up appropriately.\r\nEnsure password policies align with the latest NIST Digital Identity Guidelines.\r\nMeeting the minimum password strength [CPG 2.B] by creating a password using 8-64 nonstandard\r\ncharacters and long passphrases, when possible.\r\nDisable the use of RC4 for Kerberos authentication.\r\nThese mitigations apply to critical infrastructure entities across sectors.\r\nThe authoring agencies also recommend software manufacturers incorporate secure by design principles and\r\ntactics into their software development practices to protect their customers against actors using compromised\r\ncredentials, thereby strengthening the security posture of their customers.  For more information on secure by\r\ndesign, see CISA’s Secure by Design webpage and joint guide.\r\nValidate Security Controls\r\nIn addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating\r\norganization security programs against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise\r\nframework in this advisory. The authoring agencies recommend testing your existing security controls inventory\r\nto assess how they perform against the ATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Table 1 to Table 12).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 5 of 13\n\n6. Tune your security program, including people, processes, and technologies, based on the data generated by\r\nthis process.\r\nThe authoring agencies recommend continually testing your security program, at scale, in a production\r\nenvironment to ensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nContact Information\r\nOrganizations are encouraged to report suspicious or criminal activity related to information in this advisory to:\r\nCISA via CISA’s 24/7 Operations Center [report@cisa.gov or 1-844-Say-CISA (1-844-729-2472)] or\r\nyour local FBI field office. When available, please include the following information regarding the\r\nincident: date, time, and location of the incident; type of activity; number of people affected; type of\r\nequipment used for the activity; the name of the submitting company or organization; and a designated\r\npoint of contact.\r\nFor NSA cybersecurity guidance inquiries, contact CybersecurityReports@nsa.gov .\r\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. The authoring agencies do\r\nnot endorse any commercial entity, product, company, or service, including any entities, products, or services\r\nlinked within this document. Any reference to specific commercial entities, products, processes, or services by\r\nservice mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation,\r\nor favoring by the authoring agencies.\r\nIntrusion events connected to this Iranian group may also include a different set of cyber actors–likely the third-party actors who purchased access from the Iranian group via cybercriminal forums or other channels. As a result,\r\nsome TTPs and IOCs noted in this advisory may be tied to these third-party actors, not the Iranian actors. The\r\nTTPs and IOCs are in the advisory to provide recipients the most complete picture of malicious activity that may\r\nbe observed on compromised networks. However, exercise caution if formulating attribution assessments based\r\nsolely on matching TTPs and IOCs.\r\nVersion History\r\nOctober 16, 2024: Initial version.\r\nAppendix A: MITRE ATT\u0026CK Tactics and Techniques\r\nSee Tables 1–12 for all referenced actors’ tactics and techniques in this advisory. For assistance with mapping\r\nmalicious cyber activity to the MITRE ATT\u0026CK framework, see CISA and MITRE ATT\u0026CK’s Best Practices for\r\nMITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nTable 1: Reconnaissance\r\nTechnique Title  ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 6 of 13\n\nTechnique Title  ID Use\r\nGather Victim Identity Information T1589 The actors likely gathered victim information.\r\nTable 2: Resource Development\r\nTechnique Title  ID Use\r\nObtain Capabilities:\r\nTool\r\nT1588.002 The actors obtained a password spray tool through an open-source\r\nrepository.\r\nTable 3: Initial Access\r\nTechnique Title ID Use\r\nValid Accounts T1078\r\nThe actors used password spraying to obtain valid user and group\r\nemail account credentials, allowing them access to the network.\r\nValid Accounts:\r\nCloud Accounts\r\nT1078.004 The actors used accounts hosted on Microsoft 365, Azure, and Okta\r\ncloud environments as additional methods for initial access.\r\nExternal Remote\r\nServices\r\nT1133\r\nThe actors exploited Citrix systems’ external-facing remote services\r\nas another method for gaining initial access to the system.\r\nTable 4: Execution\r\nTechnique Title  ID Use\r\nCommand and Scripting Interpreter:\r\nPowerShell\r\nT1059.001 The actors used PowerShell commands to maintain\r\nand expand access.\r\nTable 5: Persistence\r\nTechnique Title ID Use\r\nAccount Manipulation:\r\nDevice Registration\r\nT1098.005 The actors used PowerShell commands to maintain and\r\nexpand access.\r\nModify Authentication\r\nProcess\r\nT1556\r\nThe actors used a public facing Active Directory Federation\r\nService (ADFS) domain to reset the passwords of expired\r\naccounts.\r\nModify Authentication\r\nProcess: Multi-Factor\r\nAuthentication\r\nT1556.006\r\nThe actors used an MFA bypass method, such as Multi-Factor\r\nAuthentication Request Generation, providing the ability to\r\nmodify or completely disable MFA defenses.\r\nTable 6: Privilege Escalation\r\nTechnique Title ID Use\r\nExploitation for Privilege\r\nEscalation\r\nT1068\r\nThe actors attempted impersonation of the domain controller\r\nlikely by exploiting CVE-2020-1472, Microsoft’s Netlogon\r\nPrivilege Escalation vulnerability.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 7 of 13\n\nTechnique Title ID Use\r\nDomain or Tenant Policy\r\nModification: Trust\r\nModification\r\nT1484.002\r\nThe actors leveraged a public-facing ADFS password reset tool to\r\nreactivate inactive accounts, allowing the actor to authenticate\r\nand enroll their devices as any user in the AD managed by the\r\nvictim tenant.\r\nTable 7: Defense Evasion\r\nTechnique Title ID Use\r\nIndirect Command\r\nExecution\r\nT1202\r\nThe actors attempted impersonation of the Domain Controller likely by\r\nexploiting CVE-2020-1472, Microsoft’s Netlogon Privilege Escalation\r\nvulnerability.\r\nTable 8: Credential Access\r\nTechnique Title ID Use\r\nBrute Force: Password\r\nSpraying\r\nT1110.003\r\nThe actors targeted applications, including Single Sign-on (SSO)\r\nMicrosoft Office 365, using brute force password sprays and\r\nimported the tool DomainPasswordSpray.ps1 .\r\nCredentials from\r\nPassword Stores\r\nT1555\r\nThe actors used the command Cmdkey /list likely to display\r\nusernames and credentials.\r\nSteal or Forge Kerberos\r\nTickets: Kerberoasting\r\nT1558.003\r\nThe actors performed Kerberos Service Principal Name (SPN)\r\nenumeration of several service accounts and received Rivest Cipher\r\n4 (RC4) tickets.\r\nMulti-Factor\r\nAuthentication Request\r\nGeneration\r\nT1621 The actors sent MFA requests to legitimate users.\r\nTable 9: Discovery\r\nTechnique Title ID Use\r\nRemote System\r\nDiscovery\r\nT1018\r\nThe actors used LOTL to return information about domain\r\ncontrollers.\r\nPermission Groups\r\nDiscovery: Domain\r\nGroups\r\nT1069.002 The actors used LOTL to return lists of domain administrators\r\nand enterprise administrators.\r\nPermission Groups\r\nDiscovery: Cloud Groups\r\nT1069.003 The actors used LOTL to return lists of domain administrators\r\nand enterprise administrators.\r\nSystem Information\r\nDiscovery \r\nT1082 The actors were able to query the AD to discover display names,\r\noperating systems, descriptions, and distinguished names from\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 8 of 13\n\nTechnique Title ID Use\r\nthe computer.\r\nAccount Discovery:\r\nDomain Account\r\nT1087.002 The actors used LOTL to return lists of domain administrators\r\nand enterprise administrators.\r\nDomain Trust Discovery T1482\r\nThe actors used LOTL to return information about trusted\r\ndomains.\r\nTable 10: Lateral Movement\r\nTechnique Title  ID Use\r\nRemote Services: Remote\r\nDesktop Protocol\r\nT1021.001 The actors used Microsoft Word to open PowerShell to\r\nlaunch RDP binary mstsc.exe.\r\nTable 11: Collection\r\nTechnique Title ID Use\r\nData from Local\r\nSystem\r\nT1005 The actors downloaded files related to remote access methods and the\r\norganization’s inventory.\r\nTable 12: Command and Control\r\nTechnique Title ID Use\r\nApplication Layer\r\nProtocol: Web Protocols\r\nT1071.001 The actors used msedge.exe to make outbound connections\r\nlikely to Cobalt Strike Beacon C2 infrastructure.\r\nIngress Tool Transfer T1105\r\nThe actors imported a tool from GitHub and used it to conduct\r\npassword spraying.\r\nProtocol Tunneling T1572\r\nThe actors frequently conduct targeting using a virtual private\r\nnetwork (VPN).\r\nAppendix B: Indicators of Compromise\r\nSee Tables 13 to 15 for IOCs obtained from FBI investigations.\r\nTable 13: Malicious Files Associated with Iranian Cyber Actors\r\nHash Description\r\n1F96D15B26416B2C7043EE7172357AF3AFBB002A Associated with malicious activity.\r\n3D3CDF7CFC881678FEBCAFB26AE423FE5AA4EFEC Associated with malicious activity.\r\nDisclaimer: The authoring organizations recommend network defenders investigate or vet IP addresses prior to\r\ntaking action, such as blocking, as many cyber actors are known to change IP addresses, sometimes daily, and\r\nsome IP addresses may host valid domains. Many of the IP addresses provided below are assessed VPN nodes and\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 9 of 13\n\nas such are not exclusive to the Iranian actors’ use. The authoring organizations do not recommend blocking these\r\nIP addresses based solely on their inclusion in this JCSA. The authoring organizations recommend using the\r\nbelow IP addresses to search for previous activity the actors may have conducted against networks. If positive hits\r\nfor these IP addresses are identified, the authoring organizations recommend making an independent\r\ndetermination if the observed activity aligns with the TTPs outlined in the JCSA. The timeframes included in the\r\ntable reflect the timeframe the actors likely used the IPs.\r\nTable 14: Network Indicators\r\nIP Address Date Range\r\n95.181.234.12 01/30/2024 to 02/07/2024\r\n95.181.234.25 01/30/2024 to 02/07/2024\r\n173.239.232.20 10/06/2023 to 12/19/2023\r\n172.98.71.191 10/15/2023 to 11/27/2023\r\n102.129.235.127 10/21/2023 to 10/22/2023\r\n188.126.94.60 10/22/2023 to 01/12/2024\r\n149.40.50.45 10/26/2023\r\n181.214.166.59 10/26/2023\r\n212.102.39.212 10/26/2023\r\n149.57.16.134 10/26/2023 to 10/27/2023\r\n149.57.16.137 10/26/2023 to 10/27/2023\r\n102.129.235.186 10/29/2023 to 11/08/2023\r\n46.246.8.138 10/31/2023 to 01/26/2024\r\n149.57.16.160 11/08/2023\r\n149.57.16.37 11/08/2023\r\n46.246.8.137 11/17/2023 to 01/25/2024\r\n212.102.57.29 11/19/2023 to 01/17/2024\r\n46.246.8.82 11/22/2023 to 01/28/2024\r\n95.181.234.15 11/26/2023 to 02/07/2024\r\n45.88.97.225 11/27/2023 to 02/11/2024\r\n84.239.45.17 12/04/2023 to 12/07/2023\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 10 of 13\n\nIP Address Date Range\r\n46.246.8.104 12/07/2023 to 02/07/2024\r\n37.46.113.206 12/07/2023\r\n46.246.3.186 12/07/2023 to 12/09/2023\r\n46.246.8.141 12/07/2023 to 02/10/2024\r\n46.246.8.17 12/09/2023 to 01/09/2024\r\n37.19.197.182 12/15/2023\r\n154.16.192.38 12/25/2023 to 01/24/2024\r\n102.165.16.127 12/27/2023 to 01/28/2024\r\n46.246.8.47 12/29/2023 to 01/29/2024\r\n46.246.3.225 12/30/2023 to 02/06/2024\r\n46.246.3.226 12/31/2023 to 02/03/2024\r\n46.246.3.240 12/31/2023 to 02/06/2024\r\n191.101.217.10 01/05/2024\r\n102.129.153.182 01/08/2024\r\n46.246.3.196 01/08/2024\r\n102.129.152.60 01/09/2024\r\n156.146.60.74 01/10/2024\r\n191.96.227.113 01/10/2024\r\n191.96.227.122 01/10/2024\r\n181.214.166.132 01/11/2024\r\n188.126.94.57 01/11/2024 to 01/13/2024\r\n154.6.13.144 01/13/2024 to 01/24/2024\r\n154.6.13.151 01/13/2024 to 01/28/2024\r\n188.126.94.166 01/15/2024\r\n89.149.38.204 01/18/2024\r\n46.246.8.67 01/20/2024\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 11 of 13\n\nIP Address Date Range\r\n46.246.8.53 01/22/2024\r\n154.16.192.37 01/24/2024\r\n191.96.150.14 01/24/2024\r\n191.96.150.96 01/24/2024\r\n46.246.8.10 01/24/2024\r\n84.239.25.13 01/24/2024\r\n154.6.13.139 01/26/2024\r\n191.96.106.33 01/26/2024\r\n191.96.227.159 01/26/2024\r\n149.57.16.150 01/27/2024\r\n191.96.150.21 01/27/2024\r\n46.246.8.84 01/27/2024\r\n95.181.235.8 01/27/2024\r\n191.96.227.102 01/27/2024 to 01/28/2024\r\n46.246.122.185 01/28/2024\r\n146.70.102.3 01/29/2024 to 01/30/2024\r\n46.246.3.233 01/30/2024 to 02/15/2024\r\n46.246.3.239 01/30/2024 to 02/15/2024\r\n188.126.89.35 02/03/2024\r\n46.246.3.223 02/03/2024\r\n46.246.3.245 02/05/2024 to 02/06/2024\r\n191.96.150.50 02/09/2024\r\nTable 15: Devices\r\nDevice Type Description\r\nSamsung Galaxy A71 (SM-A715F) Registered with MFA\r\nSamsung SM-G998B Registered with MFA\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 12 of 13\n\nDevice Type Description\r\nSamsung SM-M205F Registered with MFA\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a"
	],
	"report_names": [
		"aa24-290a"
	],
	"threat_actors": [],
	"ts_created_at": 1775439152,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/01303215802cb3abb59cee71d5effa60d6833873.pdf",
		"text": "https://archive.orkl.eu/01303215802cb3abb59cee71d5effa60d6833873.txt",
		"img": "https://archive.orkl.eu/01303215802cb3abb59cee71d5effa60d6833873.jpg"
	}
}