Microsoft has disrupted multiple cyber operations targeting customers of its products. Security researchers at the tech giant have tracked down and dismantled campaigns linked with two threat groups, namely Bohrium and Polonium.
Takedown of Bohrium
Microsoft Digital Crimes Unit (DCU) has successfully dismantled a spear-phishing operation associated with an Iranian threat actor, named Bohrium, that targeted customers in the Middle East, the U.S., and India.
The tech giant took down 41 domains used in the campaign to establish a C2 infrastructure for deploying malicious tools.
This action was part of a series of lawsuits targeting malicious infrastructure used in attacks aimed at customers of Microsoft.
Takedown of Polonium
Microsoft has successfully blocked Polonium, a Lebanon-based hacking group, that was using OneDrive for data exfiltration and C2 while targeting and infecting Israeli organizations.
More than 20 malicious OneDrive apps used in Polonium's attacks are suspended. Further, targeted entities are notified and malicious tools are quarantined using security intelligence updates.
The group had gained initial access to many of its victims. Around 80% of the observed victims were found beaconing to graph[.]microsoft[.]com and running Fortinet appliances.
It is mostly targeting organizations in Israel with a focus on critical manufacturing, IT, and defense firms. In one case, a compromised IT company was used to target a law and downstream aviation firm in a supply-chain attack.
The victim organizations belonged to multiple sectors such as critical manufacturing, IT, defense industrial base, transportation, government, food and agriculture, finance, healthcare, and public health.
What to do?
Microsoft is advising its customers to make sure that Microsoft Defender Antivirus is updated with the latest security intelligence updates (1.365.40.0 or later). Further, use multi-factor authentication for all remote connectivity to stop any sort of abuse of compromised credentials.