Security News > 2022 > June > Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies

Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies
2022-06-04 01:43

Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.

In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center said it suspended over 20 malicious OneDrive applications created and that it notified affected organizations.

"The observed activity was coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security, based primarily on victim overlap and commonality of tools and techniques," MSTIC assessed with "Moderate confidence."

Attack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 using malicious tools dubbed CreepyDrive and CreepyBox with its victims.

"The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run," the researchers said.

To counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.


News URL

https://thehackernews.com/2022/06/microsoft-blocks-iran-linked-lebanese.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Microsoft 365 50 1369 2820 161 4400