MERCURY, DEV-1084 conducting pseudo-ransomware attacks.

Microsoft Threat Intelligence described Friday how MERCURY, an Iranian Government linked cyber threat actor, has begun working with an unidentified organization Microsoft calls “DEV-1084.” The two groups seem to be conducting pseudo-ransomware attacks and then destroying the data they were supposed to be ransoming. Thus the incidents amount to wiper attacks. The groups have gained access to on-site resources as well as cloud environments that allowed them to wreak extensive damage to the target’s infrastructure.

MERCURY used known vulnerabilities in applications to gain access. 

Microsoft assesses that “the threat actors attempted several times and succeeded to perform initial intrusion leveraging exposed vulnerable applications, for example, continuing to exploit Log4j 2 vulnerabilities in unpatched systems in July 2022.” After access was gained the actors used windows native tools to develop the network in an attempt to remain undetected. Microsoft writes, “MERCURY likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage.” The time frame across which this operation took place shows the persistence of these groups, while the lack of clear financial gain from this kind of attack seems to indicate that the main goal was denial of service and data destruction. Microsoft explains, “DEV-1084 was then later observed leveraging highly privileged compromised credentials to perform en masse destruction of resources, including server farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients.” The attacks would therefore seem to involve sabotage, collection, and battlespace preparation.

Experts recommend knowing your network and patching vulnerable applications.

Responding to this new attack Brian Contos, CSO at Sevco Security, writes “MERCURY and DEV-1084 are examples of attackers exploiting known vulnerabilities on unpatched applications and abusing privileged user accounts… Organizations must invest in asset intelligence to understand the state of their assets across possibly dozens of different sources…”  Windows suggests enabling several features in its products to help alert administrators of attempted mass deletions, and then to disable accounts conducting suspicious activities.