DEV-0 343 is a new activity cluster that the Microsoft Threat Intelligence Center( MSTIC) first find and began tracking in late July 2021. MSTIC has observed DEV-0 343 conducting extensive password spraying against more than 250 Office 365 renters, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entering, or world maritime transportation companies with business presence in the Middle East. Less than 20 of the targeted tenants were successfully compromised, but DEV-0 343 continues to evolve their techniques to refine its onslaughts. MSTIC noted that Office 365 accounts with multifactor authentication( MFA) enabled are resilient against password sprays.
Microsoft uses DEV- #### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, letting MSTIC to track it as a unique determine of information until they can reach high confidence about the descent or identity of the actor behind the operation. Once it gratifies the criteria, a DEV is converted to a named performer. As with any find commonwealth state actor activity, Microsoft has directly notified patrons that have been targeted or compromised, providing them with the information they need to secure their accounts.
Targeting in this DEV-0 343 activity was further observed across defense companies that support United Countries, European Union, and Israeli government spouses creating military-grade radars, droning engineering, satellite systems, and emergency response communication systems. Further activity has targeted clients in geographic information systems( GIS ), spatial analytics, regional ports of enter in the Persian Gulf, and several maritime and cargo transport company with a business focus in the Middle East.
This activity likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another performer originating in Iran. Microsoft assess this targeting supportings Iranian government tracking of adversary security services and maritime shipping in the Middle East to improve its contingency plans. Gained by commercial spacecraft imagery and proprietary shipping programs and logs could help Iran compensate for its developing satellite program. Given Iran’s past cyber and military onslaughts against shipping and maritime targets, Microsoft believes this activity increases the risk to corporations in these sectors, and we are in favour of our clients in these industries and geographic regions to review the information shared in this blog to defend themselves from this threat.
DEV-0 343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8: 30 PM Iran Time( 04:00: 00 and 17:00: 00 UTC) with significant drop-offs in activity before 7:30 AM and after 8: 30 PM Iran Time. They typically target dozens to several hundreds of reports within individual organizations, will vary depending on the sizing, and enumerate each report from dozens to thousands of days. On median, between 150 and 1,000+ unique Tor proxy IP address are used in attacks against each organization.
DEV-0 343 operators typically target two Exchange endpoints- Autodiscover and ActiveSync- as a feature of the enumeration/ password spray tool they use. This allows DEV-0 343 to corroborate active reports and passwords, and further refine their password spray activity.
DEV-0 343 uses an elaborated series of Tor IP addresses to obfuscate their operational infrastructure. Because of this, there are no static set of indicators of compromise( IOCs) for us to share tied to this activity. The listing below furnishes a series of behaviors and tactics we have find being used by the attackers. We promote our customers to use this information to look for similar patterns in logs and network activity to identify areas for further investigation.
Extensive inbound traffic from Tor IP addresses for password spraying campaigns Emulation of FireFox( most common) or Chrome browsers in password spray campaigns Enumeration of Exchange ActiveSync( most common) or Autodiscover endpoints Use of enumeration/ password spray tool similar to the’ o365spray’ tool hosted at https :// github.com/ 0xZDH/ o365spray Use of Autodiscover to confirm reports and passwords Observed password spraying activity commonly peaking between 04:00: 00 and 11:00: 00 UTC
The following guidance can mitigate the techniques described in the threat activity 😛 TAGEND
Enable multifactor authentication to mitigate compromised credentials.
Block all incoming traffic from anonymizing services where possible.
Advanced hunting queries Microsoft 365 Defender
To locate associated activity, run the following advanced hunting queries in Microsoft 365 Defender 😛 TAGEND
AlertInfo | where Title in ~( ‘Unusual sequence of failed logons to Exchange services’, ‘Unusual sequence of failed logons’, ‘Password spraying’) | join AlertEvidence on AlertId
Azure Sentinel patrons can use the following detection queries to look for this activity 😛 TAGEND
The query below recognizes evidence of password sprayings activity where ClientAppUsed is either Exchange ActiveSync or Autodiscover and imitated browser is Chrome or Firefox. The query is leveraging Azure AD data to look for failings from multiple accounts from the same IP address within a hour window. Details on whether there were successful authentications by the IP address within the time window are also included. This can be an indicator that an attack was successful. The default failing report threshold is 5 and the default time window for failures is 20m.
let timeRange= 3d; let lookBack= 7d; let authenticationWindow= 20 m; let authenticationThreshold= 5; let isGUID= “[ 0-9a-z ] 8 -[ 0-9a-z ] 4 -[ 0-9a-z ] 4 -[ 0-9a-z ] 4 -[ 0-9a-z ] 12 “; let failureCodes= dynamic ([ 50053, 50126 ]); // invalid password, account is locked – too many sign ins, expired password let successCodes= dynamic ([ 0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129 ]); let ClientApps= dynamic ([ “AutoDiscover”, “Exchange ActiveSync” ]); let BrowserList= dynamic ([ “Chrome”, “Firefox ” ]); // Lookup up resolved identities from last 7 days let aadFunc=( tableName: string ) where FailedPrincipalCount >= authenticationThreshold ; let aadSignin= aadFunc( “SigninLogs” ); let aadNonInt= aadFunc( “AADNonInteractiveUserSignInLogs” ); union isfuzzy= true aadSignin, aadNonInt | where Browsers has_any( BrowserList) | where ClientApps in( ClientApps)
One of the research results that the query surfaces is the IPAddress field from where the sign-in originated. Patrons can leverage their threat intel data that have detailed information on the TOR exit nodes to join with this query and make it even higher fidelity. It is often worthwhile to have a list of all the known TOR exit nodes so that these could be used for matching with queries of Azure Sentinel, or to block sign-ins from the TOR exit nodes use conditional access. Azure Sentinel also provides playbooks that can leverage third party providers of TOR information like Big Data Cloud to synchronize the list of known TOR exit nodes on an hourly basis. Here is the link to one such playbook: https :// github.com/ Azure/ Azure-Sentinel/ blob/ master/ Playbooks/ Update-NamedLocations-TOR/ readme.md.
Next, we have another hunting query that specifies instances where a single consumer account has discovered a high incidence of failed strives from highly volatile IP address. Varying the IP address for every password attempt is becoming a more common technique among sophisticated threat groups. Often, menace groups randomize the user agent they are using as well as IP address. This technique has been enabled by the emergence of services that are huge numbers of residential IP addresses. These services are often enabled through malicious browser plugins. This query is best executed over longer timeframes. Ensues with the most prominent “IPs”, ” Failures” and “DaysWithAttempts” are good candidates for further investigation. This query intentionally does not cluster on UserAgent, IP, etc. This query is clustering on the highly volatile IP behavior.
let timeRange= 14 d; let UnsuccessfulLoginCountryThreshold= 5; // Number of failed countries attempting to login, good way to filter. let ClientApps= dynamic ([ “AutoDiscover”, “Exchange ActiveSync” ]); let BrowserList= dynamic ([ “Chrome”, “Firefox ” ]); SigninLogs | where TimeGenerated> ago( timeRange) // Limit to username/ password failure mistakes, most common when bruteforcing/ spraying | where ResultType has_any( “5 0126 “, “5 0053 “) //Narrowing the result even further to clientapps and browser that are seen in this attack. | where ClientAppUsed in( ClientApps) | widen Browser= tostring( DeviceDetail.browser) | where Browser has_any( BrowserList) // Find instances where an IP has only been used once | summarize IPLogins= counting (), make_list( TimeGenerated) by IPAddress, Location, UserPrincipalName | where IPLogins == 1 // We simply keep instances where there is 1 event, so we know there will only be one datetime in the listing | widen LoginAttemptTime= format_datetime( todatetime( list_TimeGenerated[ 0 ]), ‘dd-MM-yyyy’) // So far we’ve simply collected failings, we join back to the log to ensure there were no successful logins from the IP | join kind= leftouter( SigninLogs | where TimeGenerated> ago( timeRange) | where ResultType == 0 | summarize counting() by IPAddress, UserPrincipalNameSuccess= UserPrincipalName) on$ left.IPAddress ==$ right.IPAddress // Where there have been fewer than 2 successful logins from the IP | where count_ < 2 or isempty(count_) // Confirm that the result is for the same account where possible| where UserPrincipalName == UserPrincipalNameSuccess or isempty(UserPrincipalNameSuccess)// Summarize the collected details around the users email address| summarize IPs=dcount(IPAddress)| project UserPrincipalName// Join back to get countries the user has successfully authenticated from to compare with failures| join kind=leftouter (SigninLogs| where TimeGenerated >” ago( timeRange) | where ResultType == 0 // If there is no location attain the output fairly | widen Location= iff( isempty( Location ), “NODATA”, Location) | summarize SuccessfulLoginCountries= make_set( Location ), SuccessfulLoginCountryCount =d count( Location) by UserPrincipalName) on$ left.UserPrincipalName ==$ right.UserPrincipalName | project-away UserPrincipalName1 | order by UnsuccessfulLoginCountryCount desc // Calculate the difference between countries with successful vs. failed logins | extend IPIncreaseOnSuccess= UnsuccessfulLoginCountryCount – SuccessfulLoginCountryCount // The below line can be removed if the actor is using IPs in one country | where UnsuccessfulLoginCountryCount> UnsuccessfulLoginCountryThreshold | programme UserPrincipalName, Failures, IPs, DaysWithAttempts, UnsuccessfulLoginCountryCount, UnuccessfulLoginCountries= IPAddressLocations, SuccessfulLoginCountries, FailureIPAddresses= IPAddresses
The post Iran-linked DEV-0 343 targeting defense, GIS, and maritime sectors seemed first on Microsoft Security Blog.