Iran-linked APT groups continue to evolve

Pierluigi Paganini November 17, 2021

The researchers at Microsoft Threat Intelligence Center (MSTIC) are warning of increasingly sophisticated operations carried out by Iranian threat actors.

The Microsoft Threat Intelligence Center (MSTIC) shared the results of their analysis on the evolution of Iran-linked threat actors at the CyberWarCon 2021. Over the past 12 months, MSTIC experts observed increasingly sophisticated attacks orchestrated by Iranian APT groups.

The analysis focuses on six Iranian hacking groups that are increasingly utilizing ransomware to either fundraise or disrupt the computer networks of the targets.

Experts pointed out that Iranian threat actors operators are more patient and persistent with their social engineering campaigns, however, they continue to conduct aggressive brute force attacks on their targets.

Since September 2020, researchers analyzed the ransomware operations conducted by six Iranian threat groups that were launched in waves every six to eight weeks on average.

One of the campaigns monitored by the experts and conducted by PHOSPHORUS APT group leveraged known vulnerabilities in Fortinet FortiOS SSL VPN and Microsoft Exchange Servers to deploy ransomware on vulnerable networks. 

“In the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to CVE-2018-13379. This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN appliances.” reads the post published by Microsoft. “The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).”

Another Iran-linked APT group analyzed by Microsoft tracked as CURIUM that was characterized by a great deal of patience in its operations. The CURIUM group leverage a network of fake social media accounts to trick the victims into installing malware.

The fake social media accounts used by the group were usually masqueraded as attractive women, the accounts were used to win the trust of the victims by chatting with them and tricking them into opening a weaponized document to start the infection process.

In October 2021, researchers at Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) uncovered a malicious activity cluster, tracked as DEV-0343, that is targeting the Office 365 tenants of US and Israeli defense technology companies.

Threat actors are launching extensive password spraying attacks aimed at the target organizations, the malicious campaign was first spotted in July 2021.

Microsoft added that password spray attacks on Office 365 accounts with multifactor authentication (MFA) enabled failed.

The DEV-0343 focuses on defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems.

The group was aggressive using brute force attacks to obtain access to Office 365 accounts.

DEV-0343 group was also spotted targeting the same account on the same tenant being targeted by other known Iranian threat actors tracked as Europium, a circumstance that suggests a form of coordination between the campaigns of the groups.

Below is the conclusion of the study:

“As Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:

  • Information operations
  • Disruption and destruction
  • Support to physical operations

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Operation Cyclone)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment