According to Microsoft, various password spraying attacks have been targeted against the 250 Office 365 users in the Israeli and US defence technology sector. Cyber attackers try to get into multiple accounts by using common passwords. This technique depends on users using variations of common passwords.
The cyberattacks were focused on a significant infrastructure organization located in the Persian Gulf and were carried out by a group (likely to be Iranian) tracked as DEV-0343. This DEV tag means that the cybercriminal group is an unconfirmed state-sponsored attack group but can potentially become one.
The Microsoft Threat Intelligence Center (MSTIC) stated that it perceived DEV-0343 “conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defence technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.”
The cloud is such and easy shiny target, corrupt one, corrupt them all !
A big huge central system, break in once, get it all.
"Office 365 Spy Campaign Targets US Military Defense"
cloud=leak at scale#cybercrime #cybersecurity #clowd https://t.co/IBCxMBPou9
— tresronours cybersec (@tresronours) October 13, 2021
Microsoft claimed that the targeted tenants compromised were below 20.
The organizations that religiously deploy multi-factor authentication are at a significantly low chance of compromise by password spraying attacks.
This cybercriminal group targets companies supporting Israeli, EU, and US organizations that produce drones, emergency response communication systems, military radars, spatial analytics, satellite systems, maritime and cargo transportation companies, and Persian Gulf ports in the region.
According to Microsoft:
“Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans. Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program,”
Last week, a red flag was raised by Microsoft over Russian state-sponsored hacking that labelled the Russian intelligence hackers an active threat across the globe. The tech giant further declared that the Kremlin-backed hackers are very effective and prolific. It also mentioned a significant rise in Iranian hacking on Iranian companies.
In Microsoft’s latest Digital Defense Report, the company noted:
“This year marked a near quadrupling in the targeting of Israeli entities, a result exclusively of Iranian actors, who focused on Israel as tensions sharply escalated between the adversaries”
The tech giant’s recent warning to Israeli and US organizations in the Middle East mentions that they should be vigilant and look out for suspicious Tor connections on their networks.
Microsoft warned them in a blog post:
“DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization,”
DEV-0343 frequently conducts password spraying attacks, and targets Exchange endpoints, like ActiveSync and Autodiscover, which allows this hacking group to refine its password spraying activity further, said Microsoft.
The primary defence recommended by Microsoft to curb this is enabling multi-factor authentication. This will block remote access to accounts. The giant also recommends enforcing Exchange Online access policies, running frequent admin checks, and looking for any kind of incoming traffic from a Tor network or other services.