Microsoft detected and disabled OneDrive attacks from Lebanese hackers

Lebanese hacker group targeted Israeli organizations before the Microsoft block

Hackers abused cloud services and Microsoft managed to detect and disrupt operations

Microsoft revealed the hacker campaign targeting Israeli companies. These campaigns were detected and blocked when malicious activities stemming from the abuse of OneDrive by a previously undocumented threat actor got disabled.^[1] The hacker group is tracked as the chemical element-themed moniker Polonium.^[2]

Microsofts's Threat Intelligence Center said that the experts not only removed accounts created by the threat attackers but also suspended 20 malicious OneDrive applications.^[3] The research team also notified all the affected organizations. Activities that got discovered were coordinated with actors affiliated with Iran's Ministry of Intelligence and Security. This discovery was based on victim overlap and the commonality of tools, and techniques used in these campaigns.

The majority of targets included companies in the manufacturing sector, IT, transportation, defense, government, agriculture, financial, and healthcare sectors. Also, one cloud service provider was compromised to target the particular downstream aviation company and law firm in a supply chain attack.^[4]

Exploiting a flaw in Fortinet appliances

Many of the observed cases obtained the initial access by exploiting the path traversal vulnerability in Fortinet appliances. The flaw tracked as CVE-2018-13379^[5] provides the ability to drop custom PowerShell implants like the CreepySnail that establishes connections to the C&C servers for further malicious actions.

The chain of attacks involves the use of various tools that abuse legitimate cloud services such as OneDrive and Dropbox accounts. Attackers were discovered to use malicious tools named CreepyDrive and CreepyBox with victims. As researchers report:

The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run

The Polonium group was observed since February 2022, and researchers' report states that these tactics are showing the increasing trend of other malicious actors that target service providers to gain particular downstream access. Microsoft might continue to monitor ongoing activity from the Polonium group based in Lebanon and other Iranian MOIS-affiliated actors to provide protection and insights.

Iranian hackers tend to take advantage of cloud services

Iranian threat actors have leveraged cloud services before. In October 2021, the attack campaign was disclosed by other researchers. Cybereason reported the attack staged by a group called MalKamak that used Dropbox for the C2 communications in the attempt to stay undetected.

Back then, an attack named Operation Ghostshell used the previously undocumented and silent remote access trojan named ShellClient. Hackers deployed the malware as the main spying tool, and the first attacks like those were discovered back in July 2021, targeting a particular set of victims. These were highly targeted attacks.

Also, MSTIC reported that victims affected by the Polonium hacker group were also targeted by the MuddyWater hackers before. This is another Iranian group that has been known and indicated as a subordinate element within the MOIS by the US Cyber Command. Various victims overlap with these attacks and other reports from before.

It is advised that users enable two-factor authentication to avoid these threats. Also, it is helpful to update your Microsoft Defender Antivirus and review all authentication activities for remote access infrastructures like VPNs. For customers that have relationships with service providers, review and audit these partner relationships to minimize any unnecessary permissions.