Select Page

Nation-state operators with nexus to Iran are increasingly turning to ransomware as a means of generating revenue and intentionally sabotaging their targets, while also engaging in patient and persistent social engineering campaigns and aggressive brute force attacks.

No less than six threat actors affiliated with the West Asian country have been discovered deploying ransomware to achieve their strategic objectives, researchers from Microsoft Threat Intelligence Center (MSTIC) revealed, adding “these ransomware deployments were launched in waves every six to eight weeks on average.”

Of note is a threat actor tracked as Phosphorus (aka Charming Kitten or APT35), which has been found scanning IP addresses on the internet for unpatched Fortinet FortiOS SSL VPN and on-premises Exchange Servers to gain initial access and persistence on vulnerable networks, before moving to deploy additional payloads that enable the actors to pivot to other machines and deploy ransomware.

Another tactic incorporated into the playbook is to leverage a network of fictitious social media accounts, including posing as attractive women, to build trust with targets over several months and ultimately deliver malware-laced documents that allow for data exfiltration from the victim systems. Both Phosphorus and a second threat actor dubbed Curium have been spotted incorporating such “patient” social engineering methods to compromise their targets

“The attackers build a relationship with target users over time by having constant and continuous communications which allows them to build trust and confidence with the target,” MSTIC researchers said. In many of the cases we have observed, the targets genuinely believed that they were making a human connection and not interacting with a threat actor operating from Iran.”

A third trend is the use of password spray attacks to target Office 365 tenants targeting U.S., E.U., and Israeli defense technology companies, details of which Microsoft publicized last month, while attributing it to an emerging threat cluster DEV-0343.

images from Hacker News