Iran-linked threat actors using password-spraying against US defense and tech companies
Posted by: GuidePoint Security
Published 10/20/21, 9:00am
According to researchers at Microsoft, Iran-linked threat actors are targeting US defense and tech companies in a large-scale password spraying attack.
Password-spraying is a type of brute-force hacking using the same password across multiple accounts simultaneously to avoid account lockouts and malicious IP blocking that normally occur when brute force is used with many passwords on a single account.
Researchers at Microsoft have been tracking the threat since late July, naming it DEV-0343. More than 250 Office 365 tenants (organizations using Office 365) have been targeted, with an estimated 20 successful compromises. Microsoft experts warn, however, that the DEV-0343 threat actors are continuing to refine their attacks. Targets include defense companies developing military-grade radars, drone technology, satellite systems, and emergency response communication systems located in the United States, the European Union, and Israel. Additional threat activity is focused on businesses operating in geographic information systems (GIS), spatial analytics, ports of entry in the Persian Gulf, and maritime and cargo companies with a focus in the Middle East.
Microsoft believes this threat activity is happening to support the national interests of the government of Iran to gain “access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program.”
Attacks are most active between Sunday and Thursday from 7:30 am to 8:30 pm, Iran time. Up to several hundred accounts within an Office 365 tenant are targeted during each attack, with password-spraying occurring up to several thousand times.
Observed behaviors include:
- Extensive inbound traffic from TOR IP addresses
- Emulation of Firefox or Chrome browsers
- Enumeration of Exchange ActiveSync or Autodiscover endpoints
- Use of Autodiscover to validate accounts and passwords
Next Steps
Experts advise that enabling multifactor authentication is the number one thing organizations can do to avoid becoming victims of password-spraying attacks. Additional protective measures include reviewing and enforcing Exchange Online access policies and blocking all incoming traffic from anonymizing services where possible. More information on this threat can be found on the Microsoft advisory.
GuidePoint Security