CP
cyberpings
Threat IntelHIGH

Iran Targets M365 Accounts with Password-Spraying Attacks

Featured image for Iran Targets M365 Accounts with Password-Spraying Attacks
REThe Register Security
Microsoft 365Iranpassword-sprayingGray SandstormPeach Sandstorm
🎯

Basically, Iran is trying to guess passwords to access Microsoft accounts.

Quick Summary

Iran-linked hackers are targeting Microsoft 365 accounts with password-spraying attacks. Over 300 organizations in Israel and the UAE are impacted. This raises significant security concerns as attackers aim to steal sensitive information.

The Threat

Recent reports indicate that Iran-linked threat actors are launching password-spraying attacks against Microsoft 365 accounts. These attacks have primarily targeted over 300 organizations in Israel and more than 25 in the United Arab Emirates. Researchers from Check Point believe these campaigns may serve a dual purpose: to gather intelligence and support bomb damage assessments following missile strikes in these regions. The attackers are leveraging multiple IP addresses to mask their activities, making it difficult to trace their origins.

Who's Behind It

The attackers are suspected to be affiliated with Iranian military groups, particularly the Islamic Revolutionary Guard Corps. Notable groups involved include Peach Sandstorm and Gray Sandstorm, both of which have a history of using password-spraying techniques for initial access. The attacks occurred in three distinct waves on March 3, 13, and 23, showcasing a coordinated effort to infiltrate various sectors, including technology, healthcare, and transportation.

Tactics & Techniques

The method employed in these attacks involves password spraying, where attackers attempt to log in to numerous accounts using a small set of commonly used passwords. They utilize Tor exit nodes and disguise their User-Agent to appear as Internet Explorer 10, which helps them avoid detection. Once they successfully guess a password, they log in from various VPN IP addresses geolocated in Israel, allowing them to access sensitive information, including personal emails and communications.

Defensive Measures

Organizations, especially those in the targeted sectors, should implement multi-factor authentication (MFA) to enhance security. Regularly updating passwords and educating employees about strong password practices can also mitigate risks. Monitoring for unusual login attempts and employing advanced threat detection tools can help identify potential breaches early. Given the geopolitical context, staying vigilant against further attacks from Iranian threat actors is crucial for maintaining cybersecurity resilience.

🔒 Pro insight: The use of password-spraying tactics by Iranian groups indicates a strategic approach to cyber operations, likely aimed at supporting military objectives.

Original article from

REThe Register Security
Read Full Article

Share

Related Pings

HIGHThreat Intel

Iranian Hackers Threaten U.S. Water Systems with Attacks

Iranian hackers threaten U.S. water systems, raising alarms about infrastructure security. CISA calls for urgent fixes to critical vulnerabilities. The risks are significant, and immediate action is needed.

CyberWire Daily·
HIGHThreat Intel

US Reissues $10M Bounty on Iranian Hackers Amid Breach

The U.S. has reissued a $10 million bounty for information on Iranian hackers Handala and Parsian Afzar Rayan Borna. This comes after a confirmed breach involving sensitive data. The ongoing threat from these groups is significant, prompting this urgent call for information.

SC Media·
HIGHThreat Intel

North Korean Group Behind Axios Supply Chain Attack

A major supply chain attack on axios has been linked to North Korean hackers. This incident could impact countless organizations using the popular library. Experts warn of the growing threat to software security.

The Record·
HIGHThreat Intel

Russian CTRL Toolkit - Illicit LNK Files Distribute Malware

Malicious LNK files are being used to deploy the Russian CTRL toolkit, which facilitates credential phishing and keylogging. This sophisticated method poses a serious risk to users. Stay informed to protect your data from these evolving threats.

SC Media·
HIGHThreat Intel

Dutch Ministry of Finance - Portal Offline After Cyberattack

A cyberattack has forced the Dutch Ministry of Finance to take its treasury portal offline. Around 1,600 public entities are impacted, facing restricted access to essential functions. This incident highlights the vulnerabilities in critical infrastructure security and the need for robust cybersecurity measures.

SC Media·
HIGHThreat Intel

Supply Chain Attack - Axios npm Package Compromised

A major supply chain attack has compromised the Axios npm package, risking user data theft. If you've downloaded versions 1.14.1 or 0.30.4, immediate action is necessary. Protect your credentials and API keys now.

Tenable Blog·