Heightened Threat from Iranian State-Sponsored Hackers

A subgroup associated with the Iranian nation-state group, Magic Hound (aka PHOSPHORUS, Mint Sandstorm) was found to be conducting data theft campaigns against "high-value targets." In a report released by Microsoft, the sub-group is tracked as being "technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran’s national priorities." Threat actors in this sub-group gradually honed their proficiency in leveraging publicly disclosed proof-of-concept (POCs). Whilst the Iranian actors had previously been slow to weaponize POCs often taking weeks to adopt. They've since matured, showing their enhanced technical prowess to make immediate use of POCs from the day the POC has been disclosed.

Two attack chains presented by Microsoft shared the same initial stage attack with initial access granted through the exploit of a POC, followed by the execution of a PowerShell script to obtain system and network information. Impacket is then used to initiate lateral movement onto the "higher value devices" identified by the PowerShell script. From here the chains deviate with the first path involving the use of execution of additional PowerShell scripts to conduct additional enumeration activate RDP connections, create an SSH tunnel and ultimately compromise the victim's Active Directory database. In the second variant of the attack chain, following the use of Impacket, the threat actors connected to their C2, established persistence through a scheduled task and deployed their own custom implants "such as Drokbok and Solider." These malware are crafted to leverage the attacker-controlled "GitHub repositories to host a domain rotator containing the operators’ C2 domains," enabling them to "dynamically update their C2 infrastructure," as examined by Microsoft.