Iranian Phosphorous APT in to Limelight

Microsoft Threat Intelligence Center shared the results of their analysis on the evolution of Iran-linked threat actors. Over the past 12 months, MSTIC experts observed increasingly sophisticated attacks orchestrated by Iranian APT groups. The analysis focuses on six Iranian hacking groups that are increasingly utilizing ransomware to either fundraise or disrupt the computer networks of the targets.

One of the campaigns monitored by the experts and conducted by PHOSPHORUS APT group leveraged known vulnerabilities in Fortinet FortiOS SSL VPN and Microsoft Exchange Servers to deploy ransomware on vulnerable networks. 

“In the early part of 2021, PHOSPHORUS actors scanned millions of IPs on the internet for Fortinet FortiOS SSL VPN that were vulnerable to CVE-2018-13379. This vulnerability allowed the attackers to collect clear-text credentials from the sessions file on vulnerable Fortinet VPN. The actors collected credentials from over 900 Fortinet VPN servers in the United States, Europe, and Israel so far this year. In the last half of 2021, PHOSPHORUS shifted to scanning for unpatched on-premises Exchange Servers vulnerable to ProxyShell (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).”

Microsoft Advisory

Another Iran-linked APT group analyzed by Microsoft tracked as CURIUM that was characterized by a great deal of patience in its operations. The CURIUM group leverage a network of fake social media accounts to trick the victims into installing malware.

The fake social media accounts used by the group were usually masqueraded as attractive women, the accounts were used to win the trust of the victims by chatting with them and tricking them into opening a weaponized document to start the infection process.

In October 2021, researchers at Microsoft Threat Intelligence Center and Microsoft Digital Security Unit uncovered a malicious activity cluster, tracked as DEV-0343, that is targeting the Office 365 tenants of US and Israeli defense technology companies.

Threat actors are launching extensive password spraying attacks aimed at the target organizations, the malicious campaign was first spotted in July 2021.Microsoft added that password spray attacks on Office 365 accounts with multifactor authentication (MFA) enabled failed.

The DEV-0343 focuses on defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems. The group was aggressive using brute force attacks to obtain access to Office 365 accounts.

DEV-0343 group was also spotted targeting the same account on the same tenant being targeted by other known Iranian threat actors tracked as Europium, a circumstance that suggests a form of coordination between the campaigns of the groups.

“As Iranian operators have adapted both their strategic goals and tradecraft, over time they have evolved into more competent threat actors capable of conducting a full spectrum of operations including:

• Information operations
• Disruption and destruction
• Support to physical operations “

Indicators of Compromise

IP Address

• 91.214.124[.]143 
• 162.55.137[.]20 
• 154.16.192[.]70