Hybrid attacks continue to proliferate and disrupt organizations, such as the attack launched a few months ago by Mango Sandstorm and DEV-1084. But there are ways to stop them.
We must face the facts: the defense strategies deployed against cyber attacks generally do not work. Based on signatures, anomalies and rules designed to detect and prevent cybercriminal attacks, they do not stop seven out of ten analysts in the world today from admitting that their organization has been compromised. Should we hold these analysts responsible for this state of affairs and, through them, blame the organizations they are associated with? Certainly not. If we are where we are today, it is simply because the attack surfaces are expanding much faster than the responsiveness of analysts and the technology at their disposal.
All companies have become hybrid… and that includes attacks!
We need to take stock of the changes that have taken place in our world. All companies have moved to hybrid and multi-cloud environments. For cybercriminals, the gift is too good: it is a new opportunity that they exploit, deploying methods that allow them to escape the Maginot Lines erected by organizations. A growing share of modern attacks are therefore hybrid. Last year, the rate of cloud-based breaches was estimated at almost 50%. The key feature of a hybrid attack is that it can be triggered at any point in the infrastructure, exploiting vulnerabilities or compromised access across platforms or deploying scalable cloud resources to magnify its impact.
The case of the Mango Sandstorm attack and DEV-1084
This is the case of the hybrid attack launched by Mango Sandstorm and Storm-1084 that was observed last year. Mango Sandstorm is a state actor with close ties to the Iranian government. Together with the Storm-1084 group, it has made hybrid attacks its modus operandi, targeting both the cloud and organizations’ internal services.
The attack unleashed by Mango Sandstorm and Storm-1084 in 2023 first manifested itself in one of the targeted organization’s data centers. Cybercriminals have managed to exploit a vulnerability on a server exposed on the Internet. They then took control of this server remotely using a C&C (command and control infrastructure) and performed discovery using native Microsoft tools. They then began a series of lateral moves (depending on RPC, WMI, RDP, etc.) through compromised accounts. Using stolen credentials, they logged into the Azure AD Connect server and gained access to another highly privileged account. The attack was then able to continue within Entra ID and Azure. Privileges were added to an existing application, account permissions were manipulated, and an increase in privileges allowed cybercriminals to become “Global Admin”, i.e. global administrators of the system, and gain rights to Azure subscriptions.
Lessons for the future
Fortunately, the attack was thwarted. The large group targeted by Mango Sandstorm and Storm-1084 had a technological protection system that, thanks to artificial intelligence, was able to detect any attack attempt as early as possible. This advanced technology made it possible to identify suspicious activities in the Entra ID network and the environment and visualize lateral movements in record time. In this case, the attack took place in several phases over several months, making it difficult to detect but allowing more time to respond.
This adventure, which ended well, is rich in lessons for the future. Two points in particular should be kept in mind. First, to defend against hybrid attacks that have become the norm, it is necessary to analyze the entire network traffic, user behavior and cloud environments to detect and prioritize cyber threats in the hybrid environment. At the same time, we need to identify suspicious post-exploitation behavior without relying on signatures that can be easily circumvented. All of this should be possible through a clear, actionable signal, giving security teams a unified view of all suspicious machines and accounts.
It’s also important to understand that in modern hybrid attacks, identities are crucial. They are the glue between the different parts of a company and are therefore also very valuable to attackers, allowing them to move laterally and progress in their campaigns. Detecting privilege abuse is key: this is another lesson learned from the Mango Sandstorm attack.
Related Posts
China’s Watson Biological plans to deliver one million doses to Morocco in the first half of 2024
Leakages, corrosion, radiation; the ASN report (Agency for Nuclear Safety).
