An ongoing password attacks campaign hits Office 365 customers, another good reason to enable multi-factor authentication right now.
Password Attacks Targeting 250 Office 365 Customers from The US, EU, And Israeli Defense Sector
Microsoft reported that 250 Office 365 users in the US and Israeli defense technology industry had been targeted by ‘password spraying’ attacks, in which hackers attempt to access many accounts by guessing commonly used passwords. This method relies on people using common, generic, and simple passwords.
These attacks targeted critical infrastructure organizations from the Persian Gulf. The culprit is a group that Microsoft is tracking as DEV-0343, an emerging cybercriminal gang.
The ‘DEV’ tag indicates that the group could be state-sponsored, but that’s not yet confirmed.
The Microsoft Threat Intelligence Center (MSTIC) reported it had observed DEV-0343 “conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.”
Microsoft added that “less than 20” of the targeted users were successfully breached.
The risk that password-spraying attacks pose to organizations can be drastically reduced by enabling multi-factor authentication.
DEV-0343 Targets Military Suppliers
The newly discovered hacking group focuses on US, EU, and Israeli companies that manufacture military radars, drones, satellite systems, emergency response communication systems, geographic information systems (GIS), spatial analytics, Persian Gulf ports, and maritime and cargo transportation companies in the area.
“Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans. Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program,” Microsoft said.
Last week, Microsoft warned over Russian government-backed attacks, labeling Russia’s hackers as the most active and most significant cyber threat in the world. Kremlin-backed attackers are becoming more effective, according to Microsoft. The tech giant also highlighted a peak in Iranian attacks against Israeli companies.
“This year marked a near quadrupling in the targeting of Israeli entities, a result exclusively of Iranian actors, who focused on Israel as tensions sharply escalated between the adversaries,” Microsoft explained in its new Digital Defense Report.
Watch Out For Suspicious Tor Connections
Microsoft also warned US and Israeli organizations operating in the Middle East to watch out for suspicious Tor connections to their systems.
“DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization,” Microsoft explained.
The hacking group often targets the Exchange endpoints, such as Autodiscover and ActiveSync. This way, the threat actors can validate active accounts and passwords and refine and customize their password attacks.
Microsoft’s strongest recommendation to defend against password attacks is enabling multi-factor authentication (MFA), as this should prevent remote access to accounts with compromised usernames and passwords.
It also advises admins to check and strengthen Exchange Online access policies and to block any inbound traffic from services such as the Tor network.