Microsoft: threatening actor carries out password sprays against US and Israeli defense industry
Microsoft has said it is following what it believes to be an Iran-based threat actor who has been observed carrying out a “massive password spray” against more than 250 organizations, including US defense technology companies. and Israeli.
Other targets include entry points in the Persian Gulf or global shipping companies doing business in the Middle East. Since the targets are companies that support Iran’s geopolitical adversaries and are also frequently targeted by Iranian actors, Microsoft believes this activity originated in Iran.
Microsoft has appended the title DEV0-0343 to this Threat Activity Cluster to allow the corporate Threat Intelligence Center to track it as a single set of information until it can reach a high level of confidence in the origin or identity of the actor.
According to a security blog, less than 20 of 250 Office 365 tenants have been successfully compromised, but the group continues to evolve and refine its attacks.
Specifically, the attacks target defense companies in the United States, Israel, and the European Union that produce military-grade radar, drone technology, satellite systems, and response communications systems. emergency.
Because of these goals, Microsoft believes the activity supports the Iranian government’s monitoring of opposing security services and shipping in the Middle East to improve their contingency plans, the company said.
“Accessing commercial satellite imagery and proprietary shipping plans and logs could help Iran offset the expansion of its satellite program,” Microsoft said. âIn light of Iran’s past cyber and military attacks on maritime and maritime targets, Microsoft believes this activity increases the risk to companies in these industries, and we encourage our customers in these industries and geographies to review the information. shared in this blog to defend against this threat.
According to the blog, password sprays emulate a Firefox browser over Ips hosted on a Tor proxy network, and are most active between Sunday and Thursday between 7:30 a.m. and 8:30 p.m. Iran time.
Up to hundreds of accounts within a single organization are targeted, and on average between 150 and 1,000 unique Tor proxy IP addresses are used in these attacks.
To defend against this attack and similar password sprays, Microsoft advises enabling multi-factor authentication across all Office 365 accounts or by using passwordless solutions like Microsoft Authenticator.
The company also suggests reviewing and implementing the recommendations Exchange Online Access Policies and blocking all incoming traffic to anonymization services to the extent possible.