According to the Microsoft Threat Protection Intelligence Team, the Holmium group created an efficient cloud-based attack. Microsoft describes the group as amongst the most sophisticated cloud bad actors it has observed. However, Microsoft Threat Protection intelligence Team also says attacks of all levels of sophistication are common: “Every day, we see attackers mount an offensive against target organizations through the cloud and various other attack vectors with the goal of finding the path of least resistance, quickly expanding foothold, and gaining control of valuable information and assets.” Holmium is also known as Elfin, ATP33, and StoneDrill and has been linked to the Iranian government. It is known for attacks on chemical and mining infrastructure, as well as defense and aerospace companies. Those targets suggest the group is sophisticated and Microsoft says these attacks have been swift and effective. Firstly, the group uses various methods to access target systems. Spear-phishing campaigns through emails are common, as well as using lists of oft-used passwords (password spraying) to crack accounts.
Attacks
In some recent cloud attacks, the group has used a tool called Ruler. This is a penetration testing software that can tap into compromised credentials from Exchange. Microsoft Threat Protection intelligence says attacks start with: “Intensive password spray against exposed Active Directory Federation Services (ADFS) infrastructure; organizations that were not using multi-factor authentication (MFA) for Office 365 accounts had a higher risk of having accounts compromised through password spray. After successfully identifying a few user and password combinations via password spray, HOLMIUM used virtual private network (VPN) services with IP addresses associated with multiple countries to validate that the compromised accounts also had access to Office 365.” Attacks were rolled out in less than a week and allowed “unhampered access and full domain compromise”, Microsoft said. With this access, bad actors could remain hidden on a network, sometimes for months. “The earlier attack stages like cloud events and password spray activities were oftentimes missed or sometimes not linked with activities observed on the endpoint. This resulted in gaps in visibility and, subsequently, incomplete remediation,” the researchers note.
