At a glance.
- Iranian APT MERCURY exploits known vulnerabilities.
- US investigates apparent leaks of classified information about Russia's war against Ukraine.
- KillNet claims it has paralyzed NATO websites.
- More apparent doxing of the GRU.
- Cloud security trends.
Iranian APT MERCURY exploits known vulnerabilities.
Microsoft Threat Intelligence described Friday how MERCURY, an Iranian Government linked cyber threat actor, has begun working with an unidentified organization Microsoft calls “DEV-1084.” The two groups seem to be conducting pseudo-ransomware attacks and then destroying the data they were supposed to be ransoming. Thus the incidents amount to wiper attacks. The groups have gained access to on-site resources as well as cloud environments that allowed them to wreak extensive damage to the target’s infrastructure.
Microsoft assesses that “the threat actors attempted several times and succeeded to perform initial intrusion leveraging exposed vulnerable applications, for example, continuing to exploit Log4j 2 vulnerabilities in unpatched systems in July 2022.” After access was gained the actors used windows native tools to develop the network in an attempt to remain undetected. Microsoft writes, “MERCURY likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage.” The time frame across which this operation took place shows the persistence of these groups, while the lack of clear financial gain from this kind of attack seems to indicate that the main goal was denial of service and data destruction. Microsoft explains, “DEV-1084 was then later observed leveraging highly privileged compromised credentials to perform en masse destruction of resources, including server farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients.” The attacks would therefore seem to involve sabotage, collection, and battlespace preparation. For more on Mercury, see CyberWire Pro.