Microsoft Exposes Iran linked Dev-0343 targeting defense and maritime sectors
Table of Contents
- What is DEV-0343
- When was it discovered?
- Who was affected
- Password Spraying
- Technique used
- Nearly 20 accounts breached
- Microsoft Observed Behaviors
- Recommended Defense Techniques
DEV-0343 is an Iran-backed hacking crew recently blamed Microsoft (An American multinational company in technology) for cyber espionage on Persian Gulf countries, the US, and Israel.
Microsoft put an allegation, which claims that they have been password spraying on 250 Office 365 customers. Although this is not new, Iran has been blamed for many other cybercrimes, including ransomware attacks and hacking of banks of the US.
Targeting in this DEV-0343 activity has been across defense companies that support European Union, United States, Israeli government partners producing drone technology, military-grade radars, emergency response communication systems, and satellite systems.
Researchers at Microsoft say
This new DEV-0343 malicious cluster was discovered by Microsoft Threat Intelligence Center (MSTIC), who observed and began tracking in late July 2021.
Microsoft claims that these groups of attacks which are still ongoing targeted US and Israel defense technology.
They found out the group's nickname, DEV-0343, and linked it back to Iran because of similarities in offensive techniques, targets, and other similar patterns.
It was seen that defense companies that supported the United States, European Union, and Israeli government partners that produce technology like military-grade radar equipment, drone technologies, satellite systems, and emergency response communication systems had been targeted.
However, Microsoft claims that accounts that had multifactor or two-factor authentication were strong against these cluster attacks. That’s why every cyber security consultant puts pressure on these techniques because it's harder to bypass two-factor authentication.
Microsoft claims that this DEV-0343 activity supports the Islamic Republic of Iran's national interest because of the pattern-of-life analysis, extensive crossover in geographic and sectorial targeting using Iranian actors, and alignment of targets and techniques with another actor originating in Iran.
Image source – theconversation.com
- Conflict between Iran and Israel
Microsoft assessment has claimed that this targeting supports the Iranian government in tracking maritime shipping and adversary security services in the Middle East to enhance their contingency plans.
Although Israel and Iran have blamed each other for attacks on ships in the Middle East, gaining access to proprietary shipping plans and commercial satellite imagery and logs could help Iran compensate for its developing satellite program.
Given Iran’s past allegedly cyber and military attacks against maritime and shipping targets. In Microsoft's belief, this activity increases the risk to companies in these sectors. Microsoft encourages their customers in these industries and geographic regions to review their shared information to defend themselves from this threat.
This is not the first time we have blamed Iran like Israel.
Microsoft says in its latest Digital Defense Report that
This year marked nearly quadrupled targeting of Israeli entities, a result exclusively of Iranian actors, who focused on Israel as tensions sharply escalated between the adversaries.
Password Spraying is a technique employed by hackers to guess the password by keeping the password constant and changing the username.
There is a whole list of usernames guessed by this technique, and ultimately the password is cranked, and access is granted to the hacker.
This technique is also known as “Brute-forcing."
Image source – owasp.org
- DEV-0343 approach
Microsoft security teams say that the password spraying attacks are conducted from the Tor browser (Tor Browser prevents anybody watching over your connection from knowing what websites you visit, thus offering complete anonymity).
DEV-0343 used Tor IP addresses to mimic a Firefox browser user agent during Iran’s daytime, namely, between Sunday and Thursday, or 7:30 AM and 8:30 PM. In Iran Time (04:00:00 and 17:00:00 UTC).
According to the OS maker, on average, between 150 to 1000 plus unique Tor IP addresses were used in attacks against each organization.
When hackers make attacks, they first enumerate active employee accounts within an organization and then move towards the actual password spraying technique.
To enumerate accounts, hackers abuse two exchange email server features, namely “Autodiscover” and "ActiveSync."
This allows DEV-0343 to validate the active accounts and passwords and further refine their password spraying attack.
According to Microsoft, nearly 20 accounts have been bypassed by the group. Although this number may look less, these accounts had information that was very important to the companies.
In the end, we cannot deny that every employee holds important information about the particular company.
In this case, accounts have been hacked, and the attackers now have that valuable information that can be used against the company.
Below list is a few series of behaviors spotted by Microsoft which the hackers were using. They have advised their customers to observe these similar patterns in logs and network activity.
- Large-sale inbound traffic from Tor IP addresses for password spray campaigns
- Mimic of Firefox (most common) or Chrome browsers in password spray campaigns
- Enumeration of Autodiscover endpoints or Exchange ActiveSync (most common)
- Use of password spray tool like the ‘o365spray' tool, which can be found at https://github.com/0xZDH/o365spray
- Use of Autodiscovery to validate accounts and passwords
- Observed password spray activity commonly peaks between 04:00:00 and 11:00:00 UTC
- Enabling of multifactor or two-factor authentication technique.
- Blocking of all unwanted incoming traffic where possible
- Review and enforcement of Exchange Online Policies
- Have a unique password, no repetition, and add special characters.
- Microsoft encourages all customers to download and use passwordless solutions like Microsoft Authenticator to secure accounts.
DEV-0343 was an attack that breached the aforementioned defense companies, taking valuable information from the clients, etc. This attack could have been mitigated if the companies had implemented a strong password policy.
Moreover, Iran has been blamed many times by these companies, from data theft to voter intimidation. Hackers have not targeted autodiscovery and ActiveSync for the first time.
Recently Microsoft disclosed a flaw in Exchange that was allowing hackers to collect mass user data and credentials.