Microsoft has put a stop to Iranian-linked Lebanese hackers who are targeting Israeli businesses

As per the sources, it claims that Microsoft announced on Thursday that it had taken steps to halt malicious activity originating from the abuse of OneDrive by a previously unknown threat actor known as Polonium. The internet giant’s Threat Intelligence Center (MSTIC) stated it stopped over 20 malicious OneDrive applications created by Polonium and contacted affected companies, in addition to erasing the problematic accounts created by the Lebanon-based activity group.

MSTIC assessed with moderate confidence: “The observed activity was coordinated with other actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques,”.

Since February 2022, the antagonistic group is thought to have penetrated more than 20 Israeli institutions and one intergovernmental body with actions in Lebanon. Manufacturing, IT, transportation, defense, government, agriculture, finance, and healthcare companies were among the areas of attention, with one cloud service provider hacked to attack a downstream aviation company and law firm in a supply chain operation. Initial access is thought to have been gained by utilizing a path traversal issue in Fortinet appliances (CVE-2018-13379) to drop bespoke PowerShell implants like CreepySnail that create connections to a command-and-control (C2) server for follow-on operations in the vast majority of cases.

Furthermore, the actor’s assault chains have included the usage of proprietary tools that use legitimate cloud services as OneDrive and Dropbox accounts for C2 and malicious tools named CreepyDrive and CreepyBox for its victims. The implant, according to the researchers, enables basic functions such as enabling the malicious attacker to upload stolen files and download them to run.

As per the sources, this isn’t the first time Iranian malicious hackers have used cloud services to their advantage. Cybereason revealed in October 2021 that a group called MalKamak organized an attack campaign that used Dropbox for C2 contacts in an effort to remain under the radar.

Additionally, Multiple individuals that were infiltrated by Polonium had previously been targeted by another Iranian outfit known as MuddyWater aka Mercury, which the US Cyber Command has described as a “subordinate entity” within MOIS.

Previous reports that MuddyWater is a composite of numerous teams akin to Winnti (China) and the Lazarus Group have been confirmed by the victim overlaps (North Korea). Customers are encouraged to implement multi-factor authentication as well as analyze and audit partner interactions to eliminate any superfluous permissions in order to combat such risks.