A few days ago, Microsoft released its annual Digital Defense Report, noting that the greatest digital threats to governments are posed by nation-state actors from Russia, North Korea, Iran, and China. Today, the Redmond tech giant has issued an advisory stating that U.S. defense companies are being targeted by a threat actor that is being linked to Iran.
The latest cluster of malicious activity spotted by Microsoft is dubbed DEV-0343 for now. The company assigns this naming convention to a developing cluster whose identity is not yet confirmed. Once a sufficiently high level of confidence is reached regarding their identity, this ID is changed to that of a named threat actor.
As of now, DEV-0343 seems to be targeting U.S. and Israeli defense companies, global maritime transportation firms with a presence in the Middle East, and Persian Gulf ports of entry. Its attack methodology involves password spraying Office 365 tenants, which obviously means that accounts with multi-factor authentication (MFA) are resilient to it. Microsoft says that over 250 tenants were targeted, but less than 20 have been successfully compromised. Affected customers have already been informed. Some of Microsoft's reasons for linking this activity to Iran are as follows:
This activity likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran. Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans. Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program. Given Iran’s past cyber and military attacks against shipping and maritime targets, Microsoft believes this activity increases the risk to companies in these sectors, and we encourage our customers in these industries and geographic regions to review the information shared in this blog to defend themselves from this threat.
Microsoft has highlighted that DEV-0343 has continued to evolve and uses Tor IP addresses to hide its operational infrastructure. The Redmond firm has suggested that organizations keep an eye out for extensive inbound traffic coming from Tor IPs emulating Firefox or Chrome browsers between 04:00:00 and 11:00:00 UTC, enumeration of Exchange ActiveSync or Autodiscover endpoints, the use of the latter to validate accounts and passwords, and the utilization of password spray tools like o365spray, which is hosted on GitHub here.
Microsoft has recommended that customers also use MFA and passwordless solutions like Microsoft Authenticator, review Exchange Online access policies, and block traffic from anonymizing services where possible. The firm has also listed some hunting queries for Microsoft 365 Defender and Azure Sentinel that customers can utilize to detect malicious activity. You can check them out here.