October 15, 2024

Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium.

In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant’s Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created and that it notified affected organizations.

“The observed activity was coordinated with other actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based primarily on victim overlap and commonality of tools and techniques,” MSTIC assessed with “moderate confidence.”

The adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022.

Targets of interest included entities in the manufacturing, IT, transportation, defense, government, agriculture, financial, and healthcare sectors, with one cloud service provider compromised to target a downstream aviation company and law firm in what’s a case of a supply chain attack.

In a vast majority of the cases, initial access is believed to have been obtained by exploiting a path traversal flaw in Fortinet appliances (CVE-2018-13379), abusing it to drop custom PowerShell implants like CreepySnail that establish connections to a command-and-control (C2) server for follow-on actions.

Attack chains mounted by the actor have involved the use of custom tools that leverage legitimate cloud services such as OneDrive and Dropbox accounts for C2 using malicious tools dubbed CreepyDrive and CreepyBox with its victims.

“The implant provides basic functionality of allowing the threat actor to upload stolen files and download files to run,” the researchers said.

This is not the first time Iranian threat actors have taken advantage of cloud services. In October 2021, Cybereason disclosed an attack campaign staged by a group called MalKamak that used Dropbox for C2 communications in an attempt to stay under the radar.

Additionally, MSTIC noted that multiple victims that were compromised by Polonium were previously targeted by another Iranian group called MuddyWater (aka Mercury), which has been characterized by the U.S. Cyber Command as a “subordinate element” within MOIS.

The victim overlaps lend credence to earlier reports that MuddyWater is a “conglomerate” of multiple teams along the lines of Winnti (China) and the Lazarus Group (North Korea).

To counter such threats, customers are advised to enable multi-factor authentication as well as review and audit partner relationships to minimize any unnecessary permissions.