Since July 2021, the Microsoft Threat Intelligence Center (MSTIC) has been tracking a new cluster of activities targeting U.S. and Israeli defense companies, Middle East shipping companies and Gulf ports, the company said in a statement. blog post. Analyzes of this activity led the company to believe that it was supported by the Iranian state.
MSTIC assigns DEV names – #### to emerging and unknown threatening clusters until there is high confidence in the origin or the participant behind them. This series of activities has been designated DEV-0343 and has been found to be active mainly between Sunday and Thursday, between 7:30 and 20:30 Iranian time (04:00:00 and 17:00:00 UTC), the company said in a statement.
Targets are not just defense companies
DEV-0343 targets defense companies that manufacture military radars, unmanned technologies, satellite systems and emergency communication systems to support the governments of the United States, the European Union and Israel. It also targets maritime and freight transport companies operating in the Middle East. Its goals include “customers in geographic information systems (GIS), spatial analysis, regional ports for entry into the Persian Gulf,” the blog post said.
Hackers use the technique of spraying passwords – where the same passwords are cycled in a number of usernames to enter the network without being blocked. This is activated by Firefox or Chrome browser emulators that are dimmed using an average of 150-1000 unique Tor IP addresses, the company said.
So far, Microsoft has detected similar attacks against more than 250 Office 365 tenants, focusing on two endpoints, Autodiscover and ActiveSync on its Exchange services. However, less than 20 tenants were compromised and the company contacted customers to notify them and take the necessary action to protect their accounts.
Microsoft believes that the model of action points to this activity originating in Iran. The access gained from these attacks is likely to help Iran compensate for the evolving satellite program, the blog post said.
Microsoft recommends that customers allow multi-factor authentication to mitigate compromised credentials, use password-free solutions such as their Authenticator, review and enforce recommended access policies, and block inbound traffic from anonymization services whenever possible.