Where data is home
Where Data is Home

Microsoft Thwarts Polonium Hackers‘ Data Exfiltration Attempts

Common Scams
By Editor
Advanced Cyber Threats
0 44

Microsoft has successfully prevented the POLONIUM hackers from exfiltrating data using OneDrive. These hackers targeted more than 20 Israeli organizations in sectors such as manufacturing, IT, and defense, with the aid of Iran-linked threat actors. Microsoft’s investigation revealed that the hackers gained access to previously compromised networks through Iran’s MOIS operators. However, no vulnerabilities in the OneDrive platform were exploited. The malware strains employed by the POLONIUM hackers, including CreepyDrive and CreepySnail, were quarantined by Microsoft in security updates. Various tactics, techniques, and procedures (TTPs) were utilized by the hackers, such as targeted victim selection, hand-off operations, the use of OneDrive for command and control (C2), and AirVPN. Furthermore, it was found that 80% of affected users had vulnerable Fortinet appliances. To mitigate such attacks, Microsoft recommends implementing indicators of compromise, updating Microsoft Defender Antivirus, blocking suspicious IP addresses, reviewing VPN authentication activity, enabling multifactor authentication, and minimizing unnecessary permissions.

Key Takeaways

  • Over 20 Israeli organizations and one intergovernmental agency were targeted by the POLONIUM hackers, with a focus on manufacturing, IT, and defense industries.
  • Microsoft observed access to previously breached networks from Iran’s MOIS operators, suggesting coordination between POLONIUM and Iran-linked threat actors.
  • The POLONIUM hackers utilized malware strains such as CreepyDrive and CreepySnail, as well as other PowerShell-based implants, but did not exploit any vulnerabilities in the OneDrive platform.
  • Microsoft has taken measures to block the POLONIUM hackers, including quarantining their tools in security updates and providing recommendations such as using indicators of compromise and updating Microsoft Defender Antivirus.

Targets

The targets of the POLONIUM hackers included over 20 Israeli organizations, primarily in the manufacturing, IT, and defense industries, with evidence suggesting coordination with Iran-linked threat actors and access to previously breached networks by Iran’s MOIS operators, as observed by Microsoft. The impact on these Israeli organizations and the intergovernmental agency is significant, as they were exposed to potential data exfiltration attempts and unauthorized access to their systems. The collaboration between POLONIUM operators and Iran-linked threat actors raises concerns about the extent of the cyber espionage campaign and the potential motives behind it. This coordinated effort highlights the sophistication and persistence of the attackers, emphasizing the need for increased cybersecurity measures and vigilance within these targeted industries.

Malware Strains and TTPs Used

CreepyDrive, CreepySnail, and other PowerShell-based implants were among the malware strains used by the POLONIUM hackers. These implants did not exploit any vulnerabilities in the OneDrive platform itself. The threat actors employed various tactics, techniques, and procedures (TTPs) to carry out their attacks. This included targeting victims with unique characteristics, evidence of hand-off operations, utilizing OneDrive for command and control (C2) purposes, and leveraging AirVPN. It is worth noting that 80% of the targeted users had vulnerable Fortinet appliances. These TTPs highlight the sophistication and coordinated nature of the attacks carried out by POLONIUM. The use of PowerShell-based implants allowed the threat actors to execute malicious code and gain unauthorized access to the compromised networks, while the vulnerability in Fortinet appliances provided an initial entry point for the attackers.

Recommendations

To enhance security measures, it is recommended to utilize indicators of compromise, update antivirus software, block traffic from IP addresses listed in the compromise table, review authentication activity for virtual private networks (VPNs), enable multifactor authentication, and avoid unnecessary sharing of permissions.

  • Utilize indicators of compromise:

  • Regularly monitor and analyze indicators of compromise to detect any signs of malicious activity or intrusion.

  • Implement automated systems to quickly identify and respond to potential threats.

  • Update Microsoft Defender Antivirus:

  • Regularly update and patch Microsoft Defender Antivirus to ensure the latest security features and protection against emerging threats.

  • Enable automatic updates to ensure continuous protection.

By enabling multifactor authentication, organizations can add an extra layer of security to their systems, making it harder for unauthorized individuals to gain access. Additionally, regularly reviewing authentication activity for VPNs can help identify any suspicious or unauthorized access attempts. It is crucial to block traffic from IP addresses listed in the compromise table to prevent any communication with known malicious entities. Lastly, organizations should avoid sharing unnecessary permissions to limit potential attack vectors and reduce the risk of data exfiltration.

Frequently Asked Questions

How did Microsoft identify the POLONIUM hackers‘ access to previously breached networks?

Microsoft collaborated with cybersecurity agencies to identify the POLONIUM hackers‘ access to previously breached networks. Threat intelligence played a crucial role in detecting and mitigating the attack, allowing Microsoft to observe the activities of Iran’s MOIS operators.

What are some examples of the malware strains used by POLONIUM?

Examples of malware strains used by POLONIUM include CreepyDrive, CreepySnail, and other PowerShell-based implants. Detection methods for POLONIUM hackers include using indicators of compromise and updating Microsoft Defender Antivirus. Steps taken to protect against POLONIUM attacks include blocking traffic from IP addresses in indicators of compromise and enabling multifactor authentication.

How did Microsoft quarantine the POLONIUM tools in security updates?

Microsoft detected the presence of POLONIUM tools in compromised networks through their observation of access to previously breached networks by Iran’s MOIS operators. They developed security updates to quarantine the POLONIUM tools and prevent their abuse for exfiltrating data.

What are some examples of the TTPs (Tactics, Techniques, and Procedures) used by POLONIUM?

Examples of TTPs used by POLONIUM hackers include common unique victim targeting, evidence of hand-off operations, use of OneDrive for command and control, and utilization of AirVPN. These tactics have had a significant impact on cybersecurity measures.

Why did 80% of users have vulnerable Fortinet appliances?

80% of users had vulnerable Fortinet appliances due to a lack of users‘ cybersecurity awareness and Fortinet’s patching process. Users may not have been aware of the vulnerabilities or failed to update their appliances with the necessary patches to address the vulnerabilities.

Continue Reading
Editor 1200 posts 0 comments
Das könnte dir auch gefallen Mehr vom Autor
Hinterlasse eine Antwort

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More