EXECUTIVE SUMMARY:

A cyber hacking group is attacking drones, satellites and maritime shipping conglomerates, among other groups.

The threat actor, referred to as DEV-0343, has been observed attacking Persian Gulf ports, international defense technology groups, global maritime transportation enterprises and other organizations with connections to the Middle East. DEV-0343 ultimately aims to takeover Microsoft Office 365 accounts.

Microsoft started documenting DEV-0343’s activities in late July of this year. On Monday, Microsoft provided further information about the group’s espionage activities. The attackers seem focused on “conducting extensive password spraying” in relation to Office 365 accounts.

The term “password spraying” refers to the process of testing out a list of usernames and passwords against online accounts in an effort to find a match and to gain access.  In this context, hackers are launching attacks on “dozens to hundreds of accounts” within each targeted enterprise. Microsoft reports seeing thousands of credential combinations in attempted use against each individual account.

250 organizations hit

The campaign has hit roughly 250 organizations that use Microsoft’s cloud-based Office suite. Fewer than 20 of the targeted groups have suffered compromise. Nonetheless, the threat actors are refining their techniques and the number of organizations contending with compromise may rise.

At present, attacks are executed using an emulated Firefox or Chrome browser and rotating IP addresses that live on a Tor proxy network, according to researchers. Attacks typically use between 150 and 1,000+ unique addresses to obscure understanding of the operational infrastructure.

“Changing the IP address for every password attempt is becoming a more common technique among sophisticated threat groups,” states Microsoft. “Often, threat groups randomize the user agent they are using as well as IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP addresses. These services are often enabled through malicious browser plugins.”

Attackers’ use of the proxy addresses renders developing indicators of compromise (IoCs) a challenge.

Patterns observed include

• A high quantity of inbound traffic from Tor IP addresses for password spray campaigns
• Emulation of FireFox or Chrome browsers within spray campaigns
• Autodiscover endpoints or enumeration of Exchange ActiveSync
• Implementation of password spray tool that parallels the “o365spray” tool
• Leveraging of Autodiscover to validate accounts and credentials

Attackers commonly target two Exchange endpoints -Autodiscover and ActiveSync- as a feature of the enumeration/password spray tool in use, Microsoft says. In turn, this enables DEV-0343 to validate active accounts and passwords and to continue refining their password spray campaign.

Researchers have suggested that these attackers may originate in the Middle East and may be nation-state backed. “Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans…Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program.”

Office 365 account protection

Organizations can dodge password spraying attacks by encouraging users to deploy multi-factor authentication. Other defensive mechanisms include using passwordless solutions -such as Microsoft Authenticator- to secure accounts, blocking ActiveSync clients from navigating around Conditional Access policies, and disrupting all incoming traffic that comes from anonymizing services, where possible.

For more information about cyber criminal attempts to disrupt infrastructure and military operations, see Cyber Talk’s past coverage. Lastly, to receive cyber security insights, analysis and resources in your inbox each week, sign up for our newsletter.