Microsoft: Iranian Hackers Behind Retaliatory Cyberattacks on US Orgs
Summary:
According to a recent report from Microsoft’s Threat Intelligence team, Mint Sandstorm, a hacking group previously known as Phosphorous and believed to have ties to the Iranian government and the Islamic Revolutionary Guard Corps (IRGC), has shifted its focus from surveillance to direct attacks on critical infrastructure in the United States. The report states that a specific subgroup of Mint Sandstorm is responsible for this change in tactics. The new subgroup typically exploits newly publicized proof-of-concept exploits, as observed when they used a Zoho ManageEngine PoC on the same day it was released. Alongside these N-day exploits, which exploit known vulnerabilities, the hackers also targeted unpatched devices with older vulnerabilities like Log4Shell. Once inside a network, the hackers deploy a custom PowerShell script to gather information and assess the value of the target environment.
“The hackers then use the Impacket framework to spread laterally on the network while conducting one of two attack chains. The first attack chain leads to the theft of the target's Windows Active Directory database, which can be used to obtain users' credentials that can help hackers further the intrusion or evade detection on the network. The second attack chain is to deploy custom backdoor malware called Drokbk and Soldier; both are used to maintain persistence on compromised networks and deploy additional payloads. Microsoft says Drokbk (Drokbk.exe) [VirusTotal] is a .NET application that consists of an installer and a backdoor payload that retrieves a list of command and control server addresses from a README file on an attacker-controlled GitHub repository. The Soldier malware is also a .NET backdoor that can download and run additional payloads and uninstall itself. Like Drokbk, it retrieves a list of command and control servers from a GitHub repository” (Bleeping Computer, 2023).
According to Microsoft, apart from exploiting vulnerabilities to infiltrate networks, the attackers carried out low-volume phishing attacks on a limited number of targeted victims. These phishing attacks involved OneDrive links that led to PDFs which were spoofed containing Middle Eastern security or policy information. Also, the PDFs contained links to a malicious word template that employed template injection to run a payload on the target device. The phishing attacks served as a means to deploy the CharmPowerShell post-exploitation framework, enabling hackers to execute additional commands and establish persistence.
Analyst comments:
Microsoft’s report on Mint Sandstorm suggest that the Iranian government has given state-sponsored threat actors more freedom to carry out cyberattacks, which has led to an overall increase in the pace and scope of these attacks. The theory is that these intrusions are in retaliation for attacks on Iran’s infrastructure that the country blamed on the US and Israel. The report links the increased aggression of Iranian threat actors to a new national security apparatus and warns of a broader increase in cyberattacks attributed to Iranian groups. In 2021, the US Treasury Department sanctioned individuals and entities associated with Iran’s Islamic Revolutionary Guard Corps (IRGC), whose activities overlap with those attributed to Mint Sandstorm.
Mitigation:
Microsoft recommends using attack surface reduction rules to block executables that do not meet specific criteria:
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block Office applications from creating executable content
- Block process creations originating from PSExec and WMI commands
As the threat actors heavily rely on vulnerabilities for initial access to corporate networks, Microsoft recommends that organizations apply security updates as soon as possible. Particular attention should be paid to patching IBM Aspera Faspex, Zoho ManageEngine, and Apache Log4j2, as they are known targets for the threat actors.
IOCs https://www.microsoft.com/en-us/sec...ines-tradecraft-to-attack-high-value-targets/
Source: https://www.bleepingcomputer.com/ne...s-behind-retaliatory-cyberattacks-on-us-orgs/