Microsoft is warning Iran linked threat actors targeting Israeli defence technology companies through password-spraying attacks.
- MSTIC has observed DEV-0343 conducting extensive password spraying against more than 250 Office 365 tenants.
- DEV-0343 conducts extensive password sprays imitating a Firefox browser and using IPs hosted on a Tor proxy network.
Microsoft is warning Iran linked threat actors targeting Israeli defence technology companies through password-spraying attacks.
“DEV-0343 is a new activity cluster temporarily dubbed by researchers at Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU).
“Targeting in this DEV-0343 activity has been observed across defence companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems,'' Microsoft says.
“Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.”
The DEV-0343 operator’s end goal is likely to gain access to commercial satellite imagery and proprietary shipping plans and logs, which would be used to augment Iran's in-development satellite program.
Since the attacks have started, less than 20 targets have been compromised, with Microsoft noting that Office 365 accounts with multi-factor authentication (MFA) toggled are resilient against DEV-0343's password spray attacks.
DEV-0343 operators target two Exchange endpoints – Autodiscover and ActiveSync – with their enumeration/password spray tool to validate accounts and refine their attacks.
Microsoft notified customers that had been targeted or compromised, providing them with the required information to secure their accounts.
The IT giant advised organizations to look for the following tactics in logs and network activity to determine if the threat actors hit their infrastructure:
- Extensive inbound traffic from Tor IP addresses for password spray campaigns
- Emulation of Firefox (most common) or Chrome browsers in password spray campaigns
- Enumeration of Exchange ActiveSync (most common) or Autodiscover endpoints
- Use of enumeration/password spray tool similar to the ‘o365spray’ tool
- Use of Autodiscover to verify accounts and passwords
- Observed password spray activity commonly peaking between 04:00:00 and 11:00:00 UTC
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?