Many state-sponsored attack groups have extensive arsenals of custom tools and malware that they deploy in their intrusions, but sometimes it’s the simple techniques and tactics that can be the most effective. For one group that’s been successful in targeting organizations in the aerospace, defense, and energy industries, large-scale password spraying has become a key tool in compromising Outlook accounts as an entry point for its intrusions.
Password spraying attacks are relatively simple but can be quite effective and devastating for an organization that does not have another layer of defense such as multifactor authentication on a target account. Rather than trying a large number of passwords against one account as in a normal brute force attack, password spraying relies on trying a few commonly used passwords against a bunch of accounts. Attackers typically use this technique on email accounts, especially corporate ones that can grant them entry to the wider network.
Outlook and Office 365 are prime targets for this kind of attack, and Microsoft researchers have been tracking several intrusions by a group it calls Holmium that employ password spraying against Active Directory Federation Services (AD FS). The AD FS system allows organizations to use single-sign on services exposed to the Internet and Microsoft’s team found that enterprises that didn’t have MFA enabled were easier targets for Holmium in these intrusions.
“After successfully identifying a few user and password combinations via password spray, HOLMIUM used virtual private network (VPN) services with IP addresses associated with multiple countries to validate that the compromised accounts also had access to Office 365,” the Microsoft Threat Protection INtelligence Team said in an analysis of the recent attacks.
“Armed with a few compromised Office 365 accounts and not blocked by MFA defense, the group launched the next step with Ruler and configured a malicious Home Page URL which, once rendered during a normal email session, resulted in the remote code execution of a PowerShell backdoor through the exploitation of a vulnerability like CVE-2017-11774.”
That vulnerability allows the attackers to bypass some of the security features in Outlook and run arbitrary commands. From there, the Holmium attackers run a custom backdoor known as Powerton and install some payloads for persistence on the machine. Then it’s off to the races.
“Once the group has taken control of the endpoint (in addition to the cloud identity), the next phase was hours of exploration of the victim’s network, enumerating user accounts and machines for additional compromise, and lateral movement within the perimeter. HOLMIUM attacks typically took less than a week from initial access via the cloud to obtaining unhampered access and full domain compromise, which then allowed the attackers to stay persistent for long periods of time, sometimes for months on end,” the Microsoft analysis says.
The Holmium group is also known as APT33 and researchers have tied the group to the Iranian government. The group has consistently targeted companies in the energy sector over the years, and has used a handful of custom tools in its intrusions. The password spraying attacks that Microsoft investigated specifically went after cloud identities, something that is more difficult to fix than a simple endpoint compromise and some of the enterprises that were hit didn’t react to the intrusions right away.
“During these attacks, many target organizations reacted too late in the attack chain—when the malicious activities started manifesting on endpoints via the PowerShell commands and subsequent lateral movement behavior. The earlier attack stages like cloud events and password spray activities were oftentimes missed or sometimes not linked with activities observed on the endpoint. This resulted in gaps in visibility and, subsequently, incomplete remediation,” Microsoft’s analysis said.