Security News > 2022 > June > Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies
Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.
In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center said it suspended over 20 malicious OneDrive applications created and that it notified affected organizations.
"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security, based primarily on victim overlap and commonality of tools and techniques," MSTIC assessed with "Moderate confidence."
Attack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 using malicious tools dubbed CreepyDrive and CreepyBox with its victims.
"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run," the researchers said.
To counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.
News URL
https://thehackernews.com/2022/06/microsoft-blocks-iran-linked-lebanese.html
Related news
- Microsoft: Chinese hackers use Quad7 botnet to steal credentials (source)
- Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations (source)
- Microsoft dangles $10K for hackers to hijack LLM email service (source)
- Hackers Use Microsoft MSC Files to Deploy Obfuscated Backdoor in Pakistan Attacks (source)