A new threat group “Dev-0343” has been attributed to Iranian intelligence by the Microsoft Threat Intelligence Center (MSTIC). The group has been conducting password spraying attacks against US, Europe, and Israeli defense companies. They are especially active 7:30am to 8:30pm Iranian time, or equivalently, 04:00:00 to 17:00:00 UTC. The group is targeting the Exchange Autodiscover and ActiveSync technologies for password and account validation. There are unfortunately not many indicators of attack (IOA) in evidence of this activity because the group employs Tor to disguise traffic. However, extensive inbound Tor traffic to a network does constitute a significant IOA. MSTIC researchers have indicated evidence has enabled them to infer DEV-0343 use a tool similar to o365spray. More details about this tool can be found here: https://github.com/0xZDH/o365spray.
Analyst Notes
Conditional access policies including geographic restrictions (geofencing) are highly recommended on Internet facing networks. Multi-Factor Authentication (MFA), if universally applied across all users and services, effectively mitigates password spraying attacks. MSTIC notes that in over 200 organizations in which telemetry was collected by MSTIC, Dev-0343 had a successful intrusion for less than 20 targets due to the increasing adoption of MFA.
https://thehackernews.com/2021/10/microsoft-warns-of-iran-linked-hackers.html
https://www.microsoft.com/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/
