Microsoft Threat Intelligence Center (MSTIC) has warned of an emerging threat actor that is using password-spraying techniques to break into defense technology companies in the United States, Israel and parts of the Middle East.
Tracked as DEV-0343, this new activity cluster “likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran.”
According to Microsoft, DEV-0343 has been attempting to compromise Office 365 accounts since at least July 2021.
“MSTIC has observed DEV-0343 conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East. Less than 20 of the targeted tenants were successfully compromised, but DEV-0343 continues to evolve their techniques to refine its attacks,” the software giant said in a report.
To compromise targets the threat actor conducts password spraying attacks (a type of brute force attack where a malicious actor attempts the same password on many accounts before moving on to another one and repeating the process) emulating a Firefox browser and using IP addresses hosted on a Tor proxy network in order to obfuscate their operational infrastructure.
The attackers attempt to break into accounts within an organization (ranging fr om dozens to hundreds of accounts depending on the size of an organization), and enumerate each account from dozens to thousands of times. Microsoft says that on average the attacks involve between 150 and over 1,000 unique Tor proxy IP addresses.
DEV-0343 has been observed targeting two Exchange endpoints – Autodiscover and ActiveSync – as a feature of the enumeration/password spray tool they use. This allows the threat actor to validate active accounts and passwords.
Microsoft has provided a list of behaviors and tactics used by DEV-0343:
Extensive inbound traffic from Tor IP addresses for password spray campaigns
Emulation of FireFox (most common) or Chrome browsers in password spray campaigns
Enumeration of Exchange ActiveSync (most common) or Autodiscover endpoints
Use of enumeration/password spray tool similar to the ‘o365spray’ tool hosted at https://github.com/0xZDH/o365spray
Use of Autodiscover to validate accounts and passwords
Observed password spray activity commonly peaking between 04:00:00 and 11:00:00 UTC
As the protective measures against attacks described above, Microsoft recommends organizations to enable multifactor authentication, use passwordless solutions to secure accounts, review and enforce recommended Exchange Online access policies, and block all incoming traffic from anonymizing services wh ere possible.