HQ/EMEAFind out how we can help your business
A hacking group from Lebanon, tracked Polonium, has been blocked by Microsoft from using the OneDrive cloud storage platform after the tech giant found that the threat group had been using it for stealing data and their C2 servers as they attack companies from Israel.
Over 20 malicious OneDrive apps used by the threat group had also been suspended, including the isolation of their tools through security intelligence updates and notifying the affected companies about the incident.
An analysis from researchers disclosed details about the Polonium threat actors linking with several Iran-based groups in targeting sectors from Israel, such as IT, manufacturing, and defence industries.
In addition, the details about the group’s association with Iranian actors involved Iran’s Ministry of Intelligence and Security (MOIS), a presumption mainly based on victim overlap and the common attack tactics they have used.
Microsoft also added that these findings are plausible since they aligned with previous discoveries from 2020 when Iran’s government used third parties to launch cyberattacks on their behalf. Some attacks observed from Polonium also include proofs that point at MOIS, supplying the threat group access to several breached networks.
The majority of the attacks conducted by Polonium include them using vulnerable Fortinet devices, such as the Fortinet FortiOS SSL VPN that have been detected with the CVE-2018-13379 critical flaw that targets a path traversal flaw useful for stealing login credentials.
Polonium gang was able to abuse the Fortinet vulnerability after a separate threat actor had leaked about 50,000 Fortinet VPN credentials in 2020, only a couple of days when a list of one-line exploits for the CVE-2018-13379 was also leaked on the web.
About a year after the first leak, another one comes with approximately 500,000 Fortinet VPN credentials collected from vulnerable devices. In November last year, the US, the UK, and Australia had warned about numerous Fortinet exploitable flaws being abused by state-backed groups from Iran.
Microsoft has been continually probing and monitoring Polonium, including how they have gained initial access against their victims. The firm also noted that at least 80% of the recorded Polonium victims that use the Microsoft Graph platform operate on Fortinet devices.
While it has yet been proven, the tech giant presumes that the threat group have attacked the Fortinet devices by abusing the CVE-2018-13379 vulnerability to gain initial access to the victims’ networks.
