Microsoft revealed that most probably an Iran-linked threat actor has been launching attacks against Office 365 across U.S. and Israeli defense technology firms.
What has happened?
- Password spray attacks enable attackers to bypass automated defenses such as password lockout and malicious IP blocking for multiple failed login attempts. This allows them to avoid account lockouts.
- Attackers reportedly used around 150 and 1,000+ distinct Tor proxy IP addresses to attack each organization in the U.S. and Israel.
- The group often targeted hundreds of accounts within an organization.
- Criminals targeted the Autodiscover and ActiveSync Exchange endpoints with their enumeration or password spray tool to confirm active accounts and improve their attacks.
The DEV-0343 group’s TTPs hinted that the campaign aligns with the national interests of Iran.
The link with Iran
The group attempts to gain access to commercial satellite imagery and proprietary shipping plans/logs. According to researchers, this will help Iran in developing its satellite program. Moreover, the techniques and targets of the actors matched with pattern-of-life analysis and large crossover in sectoral and geographic targeting of other Iranian actors.
Who are the targets?
So far, less than 20 victims have been observed.
- The group is targeting defense firms supporting the U.S., European Union, and Israeli government partners manufacturing military-grade radars, emergency response communication systems, satellite systems, and drone technology.
- Moreover, it is targeting customers in Geographic Information Systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and various maritime/cargo transportation firms in the Middle East.
Meanwhile, Microsoft notified victims and provided them with the information required to secure their accounts.
Conclusion
DEV-0343 group was being tracked since July and is believed to have specific targets in the U.S. and Israel. To stay protected, Microsoft recommends several security measures, including the use of MFA and password-less solutions.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/f828_shutterstock_581369836.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_389458876.jpg)
