The Iranian state-backed group known as Mercury has been observed carrying out destructive attacks on hybrid environments masquerading as a ransomware operation, a new report from Microsoft says.
According to Microsoft’s Threat Intelligence team, Mercury, which was linked by the US cyber authorities to Iran’s Ministry of Intelligence and Security (MOIS), has been working in tandem with another threat actor that Microsoft tracks as DEV-1084, who carried out the destructive actions after Mercury’s successful operations had gained access to the target environment.
Mercury is also tracked by security researchers under various names, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, MuddyWater, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix.
“Mercury likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage,” the report reads. “DEV-1084 was then later observed leveraging highly privileged compromised credentials to perform en masse destruction of resources, including server farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients.”
At present, it’s unclear whether DEV-1084 is working independently, or if it is Mercury’s sub-group that goes into action when Mercury’s operators are instructed to carry out a destructive attack.
To gain initial access to a target network the group takes advantage of known bugs in unpatched software products such as Log4j (Log4Shell).
Once inside the network, the attackers deploy several tools and leverage techniques to maintain persistence, including installing web shells, adding a local user account and elevating privileges to local administrator, installing legitimate remote access tools, such as RPort, Ligolo and eHorus, installing a customized PowerShell script backdoor, and stealing credentials.
Next, the threat actor performs reconnaissance using native Windows tools and commands such as netstat and nltest and moves deeper into the network using stolen credentials.
In the activity detected by Microsoft, the attackers leveraged highly privileged credentials and access to domain controllers on on-premises destructive operations to prepare for large-scale encryption of targeted devices.
To move from on-premises to the cloud the threat actor used two compromised privileged accounts to manipulate the Azure Active Directory (Azure AD) Connect agent and then leveraged the AADInternals tool to extract the plaintext credentials of a privileged Azure AD account.
Microsoft said that the breached admin account and compromised Azure AD Connector account were used to destroy the Azure environment, including server farms, virtual machines, storage accounts, and virtual networks. The researchers believe that the attacker’s goal was to cause data loss and a denial of service (DoS) of the target’s services.