MSTIC(Microsoft Threat Intelligence Center) has identified that threat actors(DEV-0343) are conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East. Microsoft gives name like DEV-xxx to an unknown threat actor to track it as a unique set of information until they can reach high confidence about the origin or identity of the actor behind the operation
DEV-0343 has been observed targeting two Exchange endpoints – Autodiscover and ActiveSync – as a feature of the enumeration/password spray tool they use. This allows the threat actor to validate active accounts and passwords.
“DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization” reads the blogpost.
Interestingly Microsoft has observed that the threat actor infrastructure seems to be behind the TOR network due to which there are no static IOC’s identified to incorporate into Security controls.
Microsoft has released the list of patterns to monitor in network and logs for investigating about the behaviours and tactics used by DEV-0343:
- Extensive inbound traffic from Tor IP addresses for password spray campaigns
- Emulation of FireFox (most common) or Chrome browsers in password spray campaigns
- Enumeration of Exchange ActiveSync (most common) or Autodiscover endpoints
- Use of enumeration/password spray tool similar to the ‘o365spray’ tool hosted at https://github.com/0xZDH/o365spray
- Use of Autodiscover to validate accounts and passwords
Microsoft also releases the list of recommendation to follow mitigate the threat activity:
The following guidance can mitigate the techniques described in the threat activity:
- Enable multifactor authentication to mitigate compromised credentials.
- Microsoft strongly encourages all customers to download and use passwordless solutions like Microsoft Authenticator to secure accounts.
- Review and enforce recommended Exchange Online access policies.
- Block all incoming traffic from anonymizing services where possible.
Finally the report concludes ,Obtaining access to commercial satellite images as well as private shipping plans and logs might assist Iran in compensating for its growing satellite programme . Given Iran’s past cyber and military attacks against shipping and marine targets, Microsoft believes this action raises the danger for organisation.