Recently Microsoft has detected and blocked attacks on OneDrive from a group of hackers called POLONIUM who are operating from Lebanon.
While attacking and compromising Israelian organizations, they sought to exfiltrate data from the OneDrive and act as a command and control center.
More than 20 malicious OneDrive applications associated with POLONIUM’s attacks have also been suspended by Microsoft. Furthermore, through security intelligence updates, the targeted organizations were notified and the threat actors’ tools were quarantined.
More than 20 Israeli organizations as well as one intergovernmental agency have been targeted by POLONIUM or compromised within the past three months.
As the attacks continue, it has become clear that the attackers are mainly targeting Israel’s critical infrastructure types and here they are:-
- Manufacturing industries
- IT industries
- Defense industries
Additionally, the POLONIUM operators have likely coordinated with several Iran-linked threat actors to execute all these hacking attempts.
Microsoft has observed indications that Polonium hackers may have gained access to previously breached networks from Iran’s Ministry of Intelligence and Security (MOIS) operators in some of the attacks.
Malware strains and POLONIUM TTPs used
The IT giants have claimed that no vulnerabilities in the OneDrive platform were exploited by the threat actors.
Instead, they have used several malware strains in their attacks, and among them here below we have mentioned the popular and the most vulnerable ones:-
- Other PowerShell-based implants
While several updates became available to affected organizations this week, Microsoft announced that they would quarantine tools developed by POLONIUM operators as part of their security updates.
Here below we have mentioned all the TTPs used by POLONIUM:-
- Common unique victim targeting
- Evidence of possible “hand-off” operations
- Use of OneDrive for C2
- Use of AirVPN
It has been revealed that around 80% of the users were using vulnerable Fortinet appliances that are vulnerable to CVE-2018-13379 exploits.
By adopting the security considerations outlined below, it should be possible to mitigate the effects of the techniques used by the actor:-
- Always use the indicators of compromise.
- Make sure that Microsoft Defender Antivirus is updated to the most recent or latest version.
- Using the “Indicators of compromise” table, block traffic coming from IP addresses that are listed in this table.
- All authentication activity for VPNs (virtual private networks) must be reviewed.
- To mitigate the possibility of compromised credentials, multifactor authentication should be enabled.
- Ensure that your organization and upstream providers do not share unnecessary permissions.