Threat actors associated with Iranian state-of-the-art hackers are weaponizing N-day vulnerabilities and deploying new techniques to gain access to environments of interest.
The threat actor, also known as Phosphorus, is a subgroup of Mint Sandstorm, a gang associated with APT35, APT42, Charming Kitten, and TA453, Microsoft reported in an advisory released on Tuesday.
Read more about Phosphorus here: Iranian spear phishers hijack email conversations in new campaign
“This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tools, rapidly weaponizing N-day vulnerabilities, and demonstrating agility in its operational focus. and appears to be consistent with Iran’s national priorities,” Microsoft wrote.
The company said that from late 2021 to mid-2022, attackers switched from reconnaissance to direct attacks on US critical infrastructure, including seaports, energy companies, transportation systems, and US utilities and gas utilities. .
Among the techniques used by the Mint Sandstorm subgroup is the adoption of publicly available proof-of-concept (POC) code to exploit flaws in Internet-facing applications.
“By 2023, this subgroup was slow to adopt exploits against recently disclosed vulnerabilities in publicly reported POCs,” reads the advisory. We have observed a significant reduction in the time required for this subgroup to adopt and incorporate public POCs.”
Additionally, after 2022, a subgroup began using two custom .NET implants (called Drokbk and Soldier) to achieve persistence on victim machines and download additional tools.
“Microsoft has also observed this Mint Sandstorm subgroup using a well-defined attack chain that includes a low-volume phishing campaign and a third custom implant,” the company explains.
Microsoft said the new intrusions attributed to this group would allow operators to conceal C2 communications, remain on compromised systems, and deploy several post-compromise tools with various capabilities. I added that I was concerned.
“Successful intrusions can damage an organization’s reputation and damage its reputation, especially those responsible for providing services to others, such as critical infrastructure providers that Mint Sandstorm has targeted in the past. It can damage the reputation of an organization that owes it.”
Microsoft has recommended a set of mitigation guidelines to protect against this Mint Sandstorm subgroup. This includes hardening internet-connected assets and reducing the attack surface with the rules contained in the advisory.
Its publication comes weeks after Secureworks disclosed information about a new Iranian government-backed cyber espionage operation aimed at rooting out women’s human rights activists.
