Iranian threat actors are targeting Office 365 tenants at U.S. and Israeli defense technology companies in large-scale password spray attacks.
In password spray attacks, malicious actors attempt to force accounts using the same passwords on multiple accounts simultaneously, which allows them to mask failed attempts using different IP addresses.
This allows them to defeat automated defenses like password lockout and malicious IP blocking designed to block multiple failed login attempts.
The business cluster was temporarily dubbed DEV-0343 by researchers from the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU), who have followed it since late July.
Attacks aligned with Iranian government interests
According to Microsoft, this ongoing malicious activity matches Iranian national interests based on techniques and targets aligned with another threatening actor linked to Iran.
DEV-0343 was also linked to Iran based on lifestyle analysis and extensive cross-sectoral and geographic targeting with other Iranian hacking groups.
“The targeting in this DEV-0343 activity has been observed in defense companies that support US, EU and Israeli government partners producing military grade radar, drone technology, satellite systems and emergency response communication systems, ”Microsoft said.
“Other activities have targeted clients in geographic information systems (GIS), spatial analysis, regional ports of entry in the Persian Gulf and several shipping and freight companies focused on the Middle East. .
The end goal of DEV-0343 operators is likely to have access to commercial satellite imagery and proprietary expedition plans and logs, which would be used to augment Iran’s developing satellite program.
Microsoft has directly notified customers who have been targeted or compromised, providing them with the information they need to secure their accounts.
Less than 20 targets violated
Since the attacks began, fewer than 20 targets have been compromised, with Microsoft noting that Office 365 accounts with toggle multi-factor authentication (MFA) are resistant to password spray attacks from DEV-0343.
DEV-0343 targets Autodiscover and ActiveSync Exchange endpoints with their enumeration / password spray tool to validate active accounts and fine tune their attacks.
“They typically target tens to hundreds of accounts within an organization, depending on size, and list each account tens to thousands of times,” says Microsoft.
“On average, between 150 and over 1,000 unique Tor proxy IP addresses are used in attacks against each organization.”
How to defend against attacks
Companies exposed to this activity are encouraged to research the behaviors and tactics of DEV-0343 in newspapers and network activity, including:
- Heavy inbound traffic from Tor IP addresses for password spray campaigns
- Emulation of FireFox (most common) or Chrome browsers in password spray campaigns
- Enumeration of Exchange ActiveSync (most common) or Autodiscover endpoints
- Using an enumeration / password spray tool similar to the “o365spray” tool
- Using Autodiscover to Validate Accounts and Passwords
- Observed password spray activity typically peaks between 04:00:00 and 11:00:00 UTC
Microsoft recommends taking the following steps to defend against attacks from DEV-0343:
MSTIC and DSU researchers also shared Microsoft 365 Defender and Azure Sentinel advanced hunt queries at the end of the blog post to help SecOps teams detect activity related to DEV-0343.
- Chinese hackers use zero-day windows to attack defense, IT companies
- Hackers Use ShellClient Stealth Malware on Aerospace and Telecom Companies
- Chinese Hackers Target UIDAI, Times Group Says
- Hackers Target SMBs Using Bug in Popular Invoicing Software
- Hackers Now Target iPhone Users Through Dating Apps