Iran-based threat actor MERCURY caught targeting hybrid environment

Microsoft security researchers observed Iran-based threat actor MERCURY targeting both on-premises and cloud environments. According to the Microsoft Threat Intelligence team the threat actor likely worked in partnership with another actor that the researchers track as DEV-1084 to carry out destructive actions.

"MERCURY likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage, Microsoft wrote in a blog post that details the company's analysis of the observed actor activity and related tools.

The researchers observed that MERCURY gains access to the targets via remote exploitation of an unpatched internet-facing device, following which it handed off access to DEV-1084. It's currently unclear whether the latter works on its own or collaborates with other Iranian groups, or if it is a specialized subgroup of MERCURY that is activated only when instructed to carry out a destructive attack.

Notably, the threat actors were also observed performing the destruction of cloud resources.

"To move from on-premises to the cloud, the threat actors had to first compromise two privileged accounts and leverage them to manipulate the Azure Active Directory (Azure AD) Connect agent. Two weeks before the ransomware deployment, the threat actors first used a compromised, highly privileged account to access the device where the Azure Active Directory (Azure AD) Connect agent is installed," the tech giant said.

The blog post also details security measures to mitigate the techniques used by the actors.

Microsoft detected a unique operation in which threat actors, tracked as MERCURY and DEV-1084, carried out destructive actions in both on-premises and cloud environments. Learn more about the observed activity and tools and get TTPs and protection info: https://t.co/5cxf0Kp1WS

— Microsoft Security Intelligence (@MsftSecIntel) April 7, 2023