Iran-linked DEV-0343 APT target US and Israeli defense technology firms

DEV-0343: Iran-linked threat actors are targeting US and Israeli defense technology companies leveraging password spraying attacks.

Researchers at Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) uncovered a malicious activity cluster, tracked as DEV-0343, that is targeting the Office 365 tenants of US and Israeli defense technology companies.

Threat actors are launching extensive password spraying attacks aimed at the target organizations, the malicious campaign was first spotted in July 2021.

“DEV-0343 is a new activity cluster that the Microsoft Threat Intelligence Center (MSTIC) first observed and began tracking in late July 2021. MSTIC has observed DEV-0343 conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.” reads the post published by Microsoft. “Less than 20 of the targeted tenants were successfully compromised, but DEV-0343 continues to evolve their techniques to refine its attacks.”

Microsoft added that password spray attacks on Office 365 accounts with multifactor authentication (MFA) enabled failed.

The DEV-0343 focuses on defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems.

Microsoft researchers said that the activity is aligned with Teheran interests and its TTPs are similar to the ones of another Iran-linked threat actor.

“Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.” continues the report.

The researchers speculate the attackers aimed at gaining access to commercial satellite imagery and proprietary shipping plans and logs, this information could allow the Iranian Government to compensate for its developing satellite program.

Threat actors behind DEV-0343 leverage an elaborate series of Tor IP addresses to obfuscate their infrastructure.

“DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization.” continues the report. “DEV-0343 operators typically target two Exchange endpoints – Autodiscover and ActiveSync – as  a feature of the enumeration/password spray tool they use. This allows DEV-0343 to validate active accounts and passwords, and further refine their password spray activity.”

Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to secure their accounts.

The IT giant recommended organizations to look for the following tactics in logs and network activity to determine if their infrastructure was hit by the threat actors:

• Extensive inbound traffic from Tor IP addresses for password spray campaigns
• Emulation of FireFox (most common) or Chrome browsers in password spray campaigns
• Enumeration of Exchange ActiveSync (most common) or Autodiscover endpoints
• Use of enumeration/password spray tool similar to the ‘o365spray’ tool
• Use of Autodiscover to validate accounts and passwords
• Observed password spray activity commonly peaking between 04:00:00 and 11:00:00 UTC

Below is the list of defensive measures shared by Microsoft to mitigate DEV-0343 attacks:

• Enable multifactor authentication to mitigate compromised credentials.
  • For Office 365 users, see multifactor authentication support.
  • For Consumer and Personal email accounts, see how to use two-step verification.
• Microsoft strongly encourages all customers to download and use passwordless solutions.
• Review and enforce recommended Exchange Online access policies:
  • Block ActiveSync clients from bypassing Conditional Access policies.
• Block all incoming traffic from anonymizing services where possible.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]