fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft: Iran-linked Hackers Target US Defense Tech Companies

Microsoft: Iran-linked Hackers Target US Defense Tech Companies

Iran-linked threat actors are targeting the Office 365 tenants of US and Israeli defense technology companies in extensive password spraying attacks.

In password spray attacks, threat actors attempt to brute-force accounts by using the same passwords across multiple accounts simultaneously, which allows them to hide failed attempts using different IP addresses.

This enables them to defeat automated defenses like password lockout and malicious IP blocking designed to block multiple failed login attempts.

The activity cluster was temporarily dubbed DEV-0343 by researchers at Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU), who have tracked it since late July.

Also Read: What is Smishing? How Can We Prevent It? Explained.

Attacks aligned with Iranian govt interests

According to Microsoft, this ongoing malicious activity lines up with Iranian national interests based on techniques and targets aligning with another Iran-linked threat actor.

DEV-0343 was also linked to Iran based on pattern-of-life analysis and an extensive crossover in sectoral and geographic targeting with other Iranian hacking groups.

“Targeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems,’ Microsoft says.

“Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.”

The DEV-0343 operators’ end goal is likely to gain access to commercial satellite imagery and proprietary shipping plans and logs, which would be used to augment Iran’s in-development satellite program.

Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to secure their accounts.

Also Read: 5 Signs On How to Know if Ransomware is on Your Computer

Less than 20 targets breached

Since the attacks have started, less than 20 targets have been compromised, with Microsoft noting that Office 365 accounts with multifactor authentication (MFA) toggled are resilient against DEV-0343’s password spray attacks.

DEV-0343 targets the Autodiscover and ActiveSync Exchange endpoints with their enumeration/password spray tool to validate active accounts and refine their attacks.

“They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times,” Microsoft says.

“On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization.”

How to defend against attacks

Companies exposed to this activity are encouraged to look for DEV-0343 behaviors and tactics in logs and network activity, including:

  • Extensive inbound traffic from Tor IP addresses for password spray campaigns
  • Emulation of FireFox (most common) or Chrome browsers in password spray campaigns
  • Enumeration of Exchange ActiveSync (most common) or Autodiscover endpoints
  • Use of enumeration/password spray tool similar to the ‘o365spray’ tool
  • Use of Autodiscover to validate accounts and passwords
  • Observed password spray activity commonly peaking between 04:00:00 and 11:00:00 UTC

Microsoft recommends taking the following measures as a defense against DEV-0343’s attacks:

MSTIC and DSU researchers also shared Microsoft 365 Defender and Azure Sentinel advanced hunting queries at the end of the blog post to help SecOps teams to detect DEV-0343 related activity.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us