The IT Nerd

Microsoft has discovered an Iranian hacking group known as ‘Mint Sandstorm’ conducting cyberattacks on US critical infrastructure as a possible retaliation for recent attacks on their infrastructure including Iran’s railway system in June 2021 and a cyberattack causing an outage at Iranian gas stations in October 2021.

Microsoft says the attacks commonly use PoC exploits as they become public. Once they gain access to a network the threat actors determine if it is high-value then they deploy two attack chains to steal the target’s Windows Active Directory database to obtain users’ credentials and deploy custom backdoor malware allowing the intruders to maintain persistence on the compromised networks and deploy additional payloads.

Microsoft says the attackers also conducted low-volume phishing attacks against a small number of targeted victims.

“Capabilities observed in intrusions attributed to Mint Sandstorm are concerning as they allow operators to conceal C2 communication, persist in a compromised system, and deploy a range of post-compromise tools with varying capabilities,” warns Microsoft.

Matt Mullins, Senior Security Researcher, Cybrary had this comment:

   “Mint Sandstorm exhibits tell-tale marks of a more sophisticated adversary approach. Their attack process relies on timing, since they are racing against patch timing for publicly disclosed new CVEs. With this being said, there is an obvious effort to scour the internet for information on the latest PoCs, weaponizing them, and then swiftly launching campaigns to gain an initial foothold into networks. Outside of this initial access vector, the utilization of template injection in tandem with small batches of phishing emails leads to a cautious and furtive approach to initial access using traditional phishing methods.

   “Once inside, they appear to execute more standard post-exploitation operational procedures: recon, credential theft and lateral movement, then escalation leading to exfiltration. None of this tradecraft is particularly advanced at this stage but merely standard and sufficient operation to maneuver in an internal network. Detection of tools like Impacket isn’t anything new with a number of endpoint protections giving a specific perspective of what this activity could look like on a compromised host. Further, the exfiltration of a dumped AD database could be surmised as simply the attackers DCSync’ing or shadowing and with this vector there are robust detections available as well.

   “Custom malware is always a bit harder but as the toolkits are more publicly shared, ensuring that properly updated signatures will help a great deal with this aspect. While initial payload detection is difficult at times, there are a number of ways to detect threat actors once they begin to execute on the box. There is no way to be 100% invisible! There are always tell-tale marks left and thus as defenders we must use defense in depth and have well trained analysts and threat hunters who are capable to look closer at escalated tickets.”

Zach Hanley, Chief Attack Engineer, Horizon3.ai follows up with this:

   “Threat actors are identifying and increasingly exploiting processes, or lack of processes, in vulnerability management. They can invest in discovering 0-days, or they can abuse known, recent vulnerabilities that become public. The continuous intelligence loop of identifying emerging threats and acting on the new risks before your adversary can, will become a more critical investment that organizations will have to weigh in their overall security model. Gone are the days where an annual penetration test sufficed for reducing an organization’s risk.”

I suspect that this sort of behaviour is going to become increasingly more common. Whether it’s by Iran or Russia or by some other nation state is irrelevant. It’s clear that this sort of “tit for tat” hacks are going to become the new normal going forward.