Recent attacks from an Iran-nexus threat actor have targeted over 300 organizations in Israel and more than 25 in the UAE, highlighting the evolving nature of cyber threats. Organizations affected by these attacks are advised to take immediate action to protect themselves from further attacks.
In a recent campaign that has garnered significant attention from cybersecurity experts, an Iran-nexus threat actor has been suspected to be behind a password-spraying campaign targeting Microsoft 365 environments in Israel and the United Arab Emirates (UAE). The attack, which is believed to have occurred over three distinct attack waves, has left over 300 organizations in Israel and more than 25 in the UAE affected, with the total number of targeted organizations estimated to be significantly higher due to the scope of the campaign.
The attack, carried out by a threat actor with ties to Iranian hacking groups such as Peach Sandstorm and Gray Sandstorm (formerly DEV-0343), is believed to have been motivated by a desire to infiltrate target networks. The attackers used a technique known as password spraying, where a single common password was used against multiple usernames on the same application, in order to bypass rate-limiting defenses.
The attack unfolded over three phases: aggressive scanning or password-spraying conducted from Tor exit nodes, followed by conducting the login process, and exfiltrating sensitive data such as mailbox content. The attackers also used commercial VPN nodes hosted at AS35758 (Rachamim Aviel Twito) to establish a foothold in the networks of their targets.
Check Point, a leading Israeli cybersecurity company, has assessed that the campaign is primarily focused on Israel and the UAE, with activity associated with the same actor also observed against a limited number of targets in Europe, the United States, the United Kingdom, and Saudi Arabia. The attackers targeted cloud environments of government entities, municipalities, technology, transportation, energy sector organizations, and private-sector companies in the region.
The attackers used red-team tools to conduct these attacks via Tor exit nodes, which suggests that they may have been using sophisticated malware or other tools to carry out the attack. The use of commercial VPN nodes also indicates a high level of sophistication on the part of the attackers.
Organizations affected by the attack are advised to take immediate action to protect themselves from further attacks. This includes monitoring sign-in logs for signs of password spraying, applying conditional access controls to limit authentication to approved geographic locations, enforcing multi-factor authentication (MFA) for all users, and enabling audit logs for post-compromise investigation.
Furthermore, the attackers used an undetermined access route to breach the organization, using a legitimate remote access tool like TeamViewer to establish a foothold, then harvest credentials for lateral movement, disarm Microsoft Defender Antivirus by falsely signaling that a third-party antivirus product is active, inhibit recovery, deploy ransomware, drop a ransom note, and clear logs to cover up tracks.
"By clearing logs at the end of execution rather than the beginning, the actors ensure that even the ransomware's own activity is wiped, not just whatever preceded it," Halcyon said. This level of sophistication highlights the evolving nature of cyber threats and the importance of staying vigilant in the face of these types of attacks.
In related news, an Iranian ransomware gang with ties to the country's government has been involved in a recent attack on a U.S. healthcare organization. The attack, which was carried out using a variant of Pay2Key ransomware, was successful in breaching the organization's systems and extracting sensitive data.
However, unlike previous attacks by the group, no data was exfiltrated during this incident, according to Beazley Security and Halcyon. The attackers instead used an undetermined access route to breach the organization, using a legitimate remote access tool like TeamViewer to establish a foothold, then harvest credentials for lateral movement, disarm Microsoft Defender Antivirus by falsely signaling that a third-party antivirus product is active, inhibit recovery, deploy ransomware, drop a ransom note, and clear logs to cover up tracks.
"This level of sophistication highlights the evolving nature of cyber threats and the importance of staying vigilant in the face of these types of attacks," Halcyon said. "The attackers used an undetermined access route to breach the organization, using a legitimate remote access tool like TeamViewer to establish a foothold, then harvest credentials for lateral movement, disarm Microsoft Defender Antivirus by falsely signaling that a third-party antivirus product is active, inhibit recovery, deploy ransomware, drop a ransom note, and clear logs to cover up tracks."
Related Information: