Posted on October 13, 2021 at 8:06 AM

Microsoft issues Report on Iranian Hackers Targeting Office 365 Accounts

Government agencies have of late been major targets of state-sponsored threat actors. A recent report from Microsoft states that Iranian hackers could be using a password guessing technique to attack military and defence agencies. 

According to Microsoft, these attackers are targeting Office 365 accounts, with their main targets being defence companies based in the US, EU and Israel. In a blog post, Microsoft stated that the targeted agencies were those that developed “military-grade radars, drone technology, satellite systems and emergency response communication systems.”

Using ‘Password-Spraying’ attack Techniques

Microsoft further noted that the hacking group behind these attacks was deploying a “password-spraying” technique. The threat actors had already deployed these attacks on 250 Office 365 accounts. The target of these hackers includes the agency’s resources, which includes the employee user accounts stored in the Microsoft cloud service.

Microsoft also noted that 20 of the targeted Office 365 accounts had already been compromised through these techniques.

According to Microsoft, the threat actors behind these attacks are known as DEV-0343. The group is believed to be on an espionage mission, given that it has also targeted ports in the Persian Gulf and global maritime firms in the Middle East.

“Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans,” the blog read. “Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program.”

Microsoft further noted that the companies in the shipping and maritime sectors needed to be quick to implement the needed actions to shield themselves from these hackers, given that the risk is high. According to Microsoft, Iran has a known past of cyber and military actions against shipping and maritime companies.

Following this threat, Microsoft has urged Office 365 users to remain vigilant and be on the lookout to prevent the possibility of their accounts being accessed by unwanted parties. The threat actors launch the password-spraying attack by finding out the user’s email addresses and later trying out different variations of the password until the correct one is identified. To figure out the passwords, the hackers could try several passwords for several hours or days to break into the systems.

Microsoft also stated that the DEV-0343 hacking group was disguising itself in a Firefox browser. Moreover, it was using IP addresses hosted in the Tor network. This allowed the threat actors to remain anonymous and hide the origin of these attacks.

The blog post also stated that the threat actors targeted a wide range of accounts within the organization. The number of targeted accounts within the organization depended on size, and the threat actors would later categorize these accounts. “On average, between 150 and 1000+ unique Tor proxy IP addresses are used in attacks against each organization,” Microsoft stated.

The blog post further stated that the attackers used a stealth mode of operation to hide their operations. This disguising nature made it impossible for Microsoft to detect and share a static set of indicators of compromise (IOCs) that are linked to the hacking activity. Nevertheless, Microsoft issued a list that details the set of the behaviour of these threat actors and the tactics the researchers observed.

“We encourage our customers to use this information to look for similar patterns in logs and network activity to identify areas for further investigation,” Microsoft added.

Microsoft gives Recommendations to Protect Users

The blog post further provided a list of recommendations that Office 365 users could use to protect themselves from these password-spraying techniques. One of the recommendations that Microsoft gave to users includes using a multi-factor authentication process in the accounts.

An MFA verification process will require parties logging in to these accounts to have a secondary mode of authentication. This authentication is usually sent in the form of a one-time passcode generated from the owner’s phone.

Microsoft also urges all customers to install and use platforms such as Microsoft Authenticator that do not require passwords. This feature is an advanced way of securing user accounts because it ensures that they are not compromised even if a threat actor gains access to the account passwords.

“Changing the IP address for every password attempt is becoming a more common technique among sophisticated threat groups. Often, threat groups randomize the user agent they are using as well as the IP address. This technique has been enabled by the emergence of services providing huge numbers of residential IP addresses,” Microsoft stated.