Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Microsoft blocked Polonium attacks against Israeli organizations

Microsoft blocked an attack activity aimed at Israeli organizations attributed to a previously unknown Lebanon-based hacking group tracked as POLONIUM. Microsoft announced to have blocked a series of attacks targeting Israeli organizations that have been conducted by a previously unknown Lebanon-based hacking group tracked as POLONIUM. POLONIUM has targeted or compromised more than 20 Israeli […]

Microsoft Office zero-day

Microsoft blocked an attack activity aimed at Israeli organizations attributed to a previously unknown Lebanon-based hacking group tracked as POLONIUM.

Microsoft announced to have blocked a series of attacks targeting Israeli organizations that have been conducted by a previously unknown Lebanon-based hacking group tracked as POLONIUM. POLONIUM has targeted or compromised more than 20 Israeli organizations and one intergovernmental organization with operations in Lebanon over the past three months. Since February, the attacks targeted organizations in critical manufacturing, IT, and Israel’s defense industry. 

Threat actors were observed abusing OneDrive, for this reason, the IT giant has suspended more than 20 malicious OneDrive applications created by POLONIUM actors, notified affected organizations, and deployed a series of security intelligence updates that will quarantine malicious tools developed by the attackers.

MSTIC researchers believe that the attackers were coordinated with other actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap and TTPs. This circumstance is confirmed by revelations that emerged in the last couple of years that the Iranian government is using cyber mercenaries for its operations.

“This actor has deployed unique tools that abuse legitimate cloud services for command and control (C2) across most of their victims.” reads the analysis published by Microsoft. “POLONIUM was observed creating and using legitimate OneDrive accounts, then utilizing those accounts as C2 to execute part of their attack operation.”

MSTIC has observed POLONIUM active on or targeting multiple organizations that were previously compromised by Iran-linked MuddyWater APT (aka MERCURY). 

POLONIUM notified affected organizations and deployed a series of security intelligence updates that will quarantine tools developed by POLONIUM operators.

The IT giant pointed out that threat actors did not exploit any vulnerabilities on the OneDrive platform.

The threat actors employed in the attacks multiple custom implants, such as CreepyDrive and CreepySnail, that utilize cloud services for command and control as well as data exfiltration.

The analysis of the attack revealed that approximately 80% of the observed victims were using Fortinet appliances, a circumstance that suggests the attackers may have compromised their network by exploiting the CVE-2018-13379 vulnerability.

In at least one case, POLONIUM conducted a supply chain attack through the compromise of a cloud service provider based in Israel and likely used this access to compromise downstream customers of the service provider. 

Microsoft provides indicators of compromise (IoCs) for these attacks and recommends customers verify that Microsoft Defender Antivirus uses the latest security intelligence updates (1.365.40.0 or later), use multi-factor authentication (MFA) for all remote connectivity, and review all authentication activity for remote access infrastructure (VPNs).

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, POLONIUM)

[adrotate banner=”5″]

[adrotate banner=”13″]