{"id":127091,"date":"2023-04-07T09:00:00","date_gmt":"2023-04-07T16:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=127091"},"modified":"2024-07-03T08:10:14","modified_gmt":"2024-07-03T15:10:14","slug":"mercury-and-dev-1084-destructive-attack-on-hybrid-environment","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/","title":{"rendered":"MERCURY and DEV-1084: Destructive attack on hybrid environment"},"content":{"rendered":"\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n\n<p><strong>April 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. <strong>MERCURY<\/strong> is now tracked as <strong>Mango Sandstorm<\/strong> and <strong>DEV-1084<\/strong> is now tracked as <strong>Storm-1084<\/strong>. <\/p>\n\n\n<p>To learn more about the new taxonomy represents the origin, unique traits, and impact of threat actors, to get complete mapping of threat actor names, read this blog: <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/18\/microsoft-shifts-to-a-new-threat-actor-naming-taxonomy\/\"><strong>Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/p>\n\n<\/blockquote>\n\n\n\n<p>Microsoft Threat Intelligence has detected destructive operations enabled by <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/08\/25\/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations\/\">MERCURY<\/a>, a nation-state actor linked to the Iranian government, that attacked both on-premises and cloud environments. While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation.<\/p>\n\n\n\n<p>Previous MERCURY attacks have been observed targeting on-premises environments, however, the impact in this case notably also included destruction of cloud resources. Microsoft assesses that MERCURY likely worked in partnership with another actor that Microsoft tracks as DEV-1084, who carried out the destructive actions after MERCURY\u2019s successful operations had gained access to the target environment.<\/p>\n\n\n\n<p>MERCURY likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage. DEV-1084 was then later observed leveraging highly privileged compromised credentials to perform en masse destruction of resources, including server farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients.<\/p>\n\n\n\n<p>In this blog post, we detail our analysis of the observed actor activity and related tools. We also share information to the community and industry partners on ways to detect these attacks, including detection details of MERCURY and DEV-1084\u2019s tools in Microsoft 365 Defender, Microsoft Defender for Identity, Microsoft Defender for Cloud Applications, Microsoft Defender Antivirus, and Microsoft Defender for Endpoint. As with any observed nation-state actor activity, Microsoft has directly notified targeted or compromised customers, providing them with important information needed to secure their environments.<\/p>\n\n\n\n<p>Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing Microsoft to track it as a unique set of information until we reach high confidence about the origin or identity of the actor behind the activity.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"who-is-dev-1084\">Who is DEV-1084? <em><\/em><\/h2>\n\n\n\n<p>Microsoft tracks the destructive actions documented in this blog post as DEV-1084. DEV-1084 likely worked in partnership with MERCURY\u2014an Iran-based actor that the US Cyber Command has publicly linked to <a href=\"https:\/\/www.cybercom.mil\/Media\/News\/Article\/2897570\/iranian-intel-cyber-suite-of-malware-uses-open-source-tools\/\">Iran\u2019s Ministry of Intelligence and Security (MOIS)<\/a>. DEV-1084 publicly adopted the DarkBit persona and presented itself as a criminal actor interested in extortion, likely as an attempt to obfuscate Iran\u2019s link to and strategic motivation for the attack.<\/p>\n\n\n\n<p>The link between the DEV-1084 cluster and MERCURY was established based on the following evidence:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DEV-1084 operators were observed sending threatening emails from 146.70.106[.]89, an IP address previously linked to MERCURY.<\/li>\n\n\n\n<li>DEV-1084 used MULLVAD VPN, the same VPN provider historically used by MERCURY.<\/li>\n\n\n\n<li>DEV-1084 used Rport and a customized version of Ligolo. MERCURY has also been observed using Rport and a similar version of Ligolo in previous attacks.<\/li>\n\n\n\n<li>DEV-1084 used the <em>vatacloud[.]com<\/em> domain for command and control (C2) during this incident. Microsoft assesses with high-confidence that the <em>vatacloud[.]com<\/em> domain is controlled by MERCURY operators.<\/li>\n<\/ul>\n\n\n\n<p>Microsoft assesses that MERCURY gains access to the targets through remote exploitation of an unpatched internet-facing device. MERCURY then handed off access to DEV-1084. It is not currently clear if DEV-1084 operates independently of MERCURY and works with other Iranian actors or if DEV-1084 is an \u2018effects based\u2019 sub-team of MERCURY that only surfaces when MERCURY operators are instructed to carry out a destructive attack.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"early-activities-related-attacker-tools-and-techniques\">Early activities, related attacker tools and techniques<\/h2>\n\n\n\n<p>Microsoft assesses with moderate confidence that the threat actors attempted several times and succeeded to perform initial intrusion leveraging exposed vulnerable applications, for example, <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/08\/25\/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations\/\">continuing to exploit Log4j 2 vulnerabilities in unpatched systems<\/a> in July 2022.<\/p>\n\n\n\n<p>After gaining access, the threat actors deploy several tools and leverage techniques to maintain persistence, which provide effective and continued access to compromised devices, such as the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Installing web shells<\/li>\n\n\n\n<li>Adding a local user account and elevating privileges to local administrator<\/li>\n\n\n\n<li>Installing legitimate remote access tools, such as <a href=\"https:\/\/rport.io\/\">RPort<\/a>, Ligolo and <a href=\"https:\/\/ehorus.com\/\">eHorus<\/a><\/li>\n\n\n\n<li>Installing a customized PowerShell script backdoor<\/li>\n\n\n\n<li>Stealing credentials<\/li>\n<\/ul>\n\n\n\n<p>Once the persistence is established, the threat actors perform extensive discovery leveraging common native Windows tools and commands such as <em>netstat<\/em> and <em>nltest<\/em>. Such reconnaissance activities were seen leveraged throughout the attack chain.<\/p>\n\n\n\n<p>The threat actors consistently perform extensive lateral movement actions using the acquired credentials within a targeted environment. These actions mainly involved:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Remote scheduled tasks to launch their customized PowerShell backdoor<\/li>\n\n\n\n<li>Windows Management Instrumentation (WMI) to launch commands on devices<\/li>\n\n\n\n<li>Remote services to run encoded PowerShell commands<\/li>\n<\/ul>\n\n\n\n<p>After infecting the new devices, the threat actors often installed the same persistence mechanisms as described above. Interestingly, after each main attack step, the actors did not always immediately continue their operations but would wait weeks and sometimes months before moving to the next step.<\/p>\n\n\n\n<p>For execution and communication, the threat actors leverage several C2 servers and sometimes deploy tunnelling tools, such as <a href=\"https:\/\/github.com\/nicocha30\/ligolo-ng\">Ligolo<\/a> and <a href=\"https:\/\/www.openssh.com\/\">OpenSSH<\/a>, commonly leveraged to stay under the radar of security teams and solutions.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"on-premises-destructive-impact\">On-premises destructive impact<\/h2>\n\n\n\n<p>In observed activity, the threat actors leveraged highly privileged credentials and access to domain controllers on on-premises destructive operations to prepare for large-scale encryption of targeted devices.<\/p>\n\n\n\n<p>To do so, they first interfered with security tools using Group Policy Objects (GPO). With defenses impaired, the threat actors proceeded to stage the ransomware payload in the NETLOGON shares on several domain controllers.<\/p>\n\n\n\n<p>GPO was leveraged again to register a scheduled task used to launch the ransomware payload. Finally, the ransomware payload encrypted files found on the file system of the targeted devices by changing the file name extension to <em>DARKBIT<\/em> and dropped ransom notes.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"604\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-1.-Attack-diagram-1-1024x604.png\" alt=\"Attack flow of the threat actor through initial access, execution, discovery, persistence, credential access, lateral movement, execution, impact, and communications stages.\" class=\"wp-image-127103\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-1.-Attack-diagram-1-1024x604.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-1.-Attack-diagram-1-300x177.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-1.-Attack-diagram-1-768x453.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-1.-Attack-diagram-1-1536x906.png 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-1.-Attack-diagram-1-2048x1207.png 2048w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-1.-Attack-diagram-1-440x260.png 440w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 1. On-premises attack flow<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"moving-from-on-premises-to-cloud\">Moving from on-premises to cloud<\/h2>\n\n\n\n<p>To move from on-premises to the cloud, the threat actors had to first compromise two privileged accounts and leverage them to manipulate the Azure Active Directory (Azure AD) Connect agent. Two weeks before the ransomware deployment, the threat actors first used a compromised, highly privileged account to access the device where the Azure&nbsp;Active&nbsp;Directory (Azure AD) Connect agent is installed. We assess with high confidence that the threat actors then used the AADInternals tool to extract the plaintext credentials of a privileged Azure AD account. The threat actors then used these credentials to pivot from the on-premises environment to the Azure AD environment.<\/p>\n\n\n\n<p><a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/hybrid\/whatis-azure-ad-connect\">Azure AD Connect<\/a> is an on-premises application for managing hybrid identities through features like <a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/hybrid\/whatis-phs\">password hash synchronization<\/a>, <a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/hybrid\/how-to-connect-pta\">pass-through authentication<\/a>, <a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/hybrid\/how-to-connect-sync-whatis\">objects synchronization<\/a>, and others. As part of the express settings installation process, multiple accounts are created both in the on-premises (Windows Server Active Directory) and cloud (Azure AD) environments. The first account is the AD DS Connector Account. The account name is prefixed with <em>MSOL_<\/em> and it is created with a long complex password.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"43\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-2-1024x43.png\" alt=\"AD DS Connector account example\" class=\"wp-image-127093\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-2-1024x43.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-2-300x12.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-2-768x32.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-2-1536x64.png 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-2-2048x85.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 2. Example of AD DS Connector account<\/figcaption><\/figure>\n\n\n\n<p>This account\u2019s permissions are set based on features enabled during the service\u2019s installation, but in most common scenarios, the account has permissions to replicate directory changes, modify passwords, modify users, modify groups, and so on (see all the permissions <a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/hybrid\/reference-connect-accounts-permissions#create-the-ad-ds-connector-account\">here<\/a>). In addition, during installation, an Azure AD account called the Azure AD Connector Account is also created. This account is used by the synchronization service to manage Azure AD objects. The account is created with a long complex password as well, and by default (if using the express settings) prefixed with <em>Sync_[ServerName]<\/em>. This user is assigned with the Directory Synchronization Accounts role (see detailed permissions of this role <a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/roles\/permissions-reference#directory-synchronization-accounts\">here<\/a>). In older versions, this account might be assigned with the Global Administrator role.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"57\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-3-1024x57.png\" alt=\"Azure AD Connector account example\" class=\"wp-image-127094\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-3-1024x57.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-3-300x17.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-3-768x43.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-3-1536x85.png 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-3-2048x113.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 3. Example of an Azure AD Connector account<\/figcaption><\/figure>\n\n\n\n<p>There are other entities detailed <a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/hybrid\/reference-connect-accounts-permissions\">here<\/a> that are created but are less relevant to this topic.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"extracting-credentials\">Extracting credentials<\/h3>\n\n\n\n<p>Two weeks before the ransomware deployment, the threat actors were observed using compromised credentials to access the Azure AD Connect device. Next, they set up an SSH tunnel to an attacker-controlled device. On a separate attacker-controlled compromised device, evidence indicates cloning of the AADInternals tool. One of the functions available in this tool\u2019s library is <a href=\"https:\/\/github.com\/Gerenios\/AADInternals\/blob\/master\/AADSyncSettings.ps1#L97\"><em>Get-AADIntSyncCredentials<\/em><\/a>, which allows any local administrator on a device where Azure AD Connect is installed to extract the plaintext credentials of both the Azure AD Connector account and the AD DS Connector account.<\/p>\n\n\n\n<p>Shortly before the ransomware deployment, we observed authentication from a known attacker IP address into the Azure AD Connector cloud account. Investigating this sign-in showed that the threat actors were able to access the account on the first attempt without any guessing or modification of the password, indicating that the actors possessed the password for this account. The Azure AD Connector account is configured with single-factor authentication, making it easier for the attacker to gain entry and elevate privileges.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"cloud-destructive-impact\">Cloud destructive impact<\/h2>\n\n\n\n<p>On the day of the ransomware attack, the threat actors executed multiple actions in the cloud using two privileged accounts. The first account was the compromised Azure AD Connector account, which had Global Administrator permissions as it was set up for an old solution (DirSync). For the second account, which also had Global Administrator permissions, the threat actors leveraged RDP for access into the account. Even though this account had MFA in place, the threat actors accessed it through RDP, which is an open session that evades MFA blocking their activities.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"310\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-4.-Cloud-pivot-diagram-1024x310.png\" alt=\"Diagram depicting how an attacker moves through the targeted devices, leverages an attacker-controlled device to extract passwords, access the admin and Azure AD Connector accounts to impersonate emails, dump emails using Exchange Web Server API, and mass delete Azure resources.\" class=\"wp-image-127095\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-4.-Cloud-pivot-diagram-1024x310.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-4.-Cloud-pivot-diagram-300x91.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-4.-Cloud-pivot-diagram-768x233.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-4.-Cloud-pivot-diagram-1536x465.png 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-4.-Cloud-pivot-diagram-2048x620.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 4. Pivoting to the cloud<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"mass-azure-resource-deletion\">Mass Azure resource deletion<\/h3>\n\n\n\n<p>On the same day, a successful sign-in to the Microsoft Azure environment was observed. The threat actors claimed the Global Administrator permission through <a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/privileged-identity-management\/pim-configure\">Azure Privileged Identity Management (PIM)<\/a> and <a href=\"https:\/\/learn.microsoft.com\/azure\/role-based-access-control\/elevate-access-global-admin\">elevated<\/a> access to get permissions to the target\u2019s management groups and Azure subscriptions. The Azure AD Connector account and the compromised administrator account were then used to perform significant destruction of the Azure environment\u2014deleting within a few hours server farms, virtual machines, storage accounts, and virtual networks. We assess that the attacker\u2019s goal was to cause data loss and a denial of service (DoS) of the target\u2019s services.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"exchange-web-server-api-abuse\">Exchange Web Server API abuse<\/h3>\n\n\n\n<p>The actors went on to provide an existing legitimate OAuth application with both the <em>full_access_as_app<\/em> permission and administrator consent, which granted the threat actors full access to mailboxes through Exchange Web Services.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"595\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-5-1024x595.png\" alt=\"Screenshot of full_access_as_app permission being added to the legitimate OAuth app.\" class=\"wp-image-127096\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-5-1024x595.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-5-300x174.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-5-768x446.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-5.png 1166w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 5. Adding access permission to the existing application<\/figcaption><\/figure>\n\n\n\n<p>With the obtained cloud administrator privileges, the threat actors updated the OAuth application with certificates to conduct malicious activities. &nbsp;These newly added credentials could then be used to issue access tokens and authenticate on behalf of the application to access cloud resources.<\/p>\n\n\n\n<p>We then observed the threat actors using this application\u2019s permissions to perform <a href=\"https:\/\/learn.microsoft.com\/exchange\/client-developer\/web-service-reference\/getitem-operation-email-message\"><em>GetItem<\/em><\/a> operations over many mailboxes in the target environment. They also performed thousands of search activities, which we suspect were attempts to dump mailboxes and\/or search for sensitive data in them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"email-impersonation\">Email impersonation<\/h3>\n\n\n\n<p>The threat actors used the compromised administrator account to grant SMTP <em>Send on behalf<\/em> permissions to the Azure AD Connector account over a high-ranking employee\u2019s mailbox, using the <em>Set-Mailbox<\/em> PowerShell cmdlet.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"984\" height=\"1024\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-6.-Threat-actors-granting-access-to-send-emails-on-behalf-of-the-targets-account-1-984x1024.png\" alt=\"Access granted to send emails on behalf of the target's account\" class=\"wp-image-127393\" style=\"width:492px;height:512px\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-6.-Threat-actors-granting-access-to-send-emails-on-behalf-of-the-targets-account-1-984x1024.png 984w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-6.-Threat-actors-granting-access-to-send-emails-on-behalf-of-the-targets-account-1-288x300.png 288w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-6.-Threat-actors-granting-access-to-send-emails-on-behalf-of-the-targets-account-1-768x799.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-6.-Threat-actors-granting-access-to-send-emails-on-behalf-of-the-targets-account-1-1476x1536.png 1476w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-6.-Threat-actors-granting-access-to-send-emails-on-behalf-of-the-targets-account-1.png 1701w\" sizes=\"auto, (max-width: 984px) 100vw, 984px\" \/><figcaption class=\"wp-element-caption\">Figure 6. Threat actors granting access to send emails on behalf of the target\u2019s account<\/figcaption><\/figure>\n\n\n\n<p>Emails were then created and sent both internally and externally.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"522\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-7.-Threat-actors-successfully-sent-email-through-the-targeted-account-1-1024x522.png\" alt=\"Email successfully sent through the targeted account\" class=\"wp-image-127394\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-7.-Threat-actors-successfully-sent-email-through-the-targeted-account-1-1024x522.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-7.-Threat-actors-successfully-sent-email-through-the-targeted-account-1-300x153.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-7.-Threat-actors-successfully-sent-email-through-the-targeted-account-1-768x391.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-7.-Threat-actors-successfully-sent-email-through-the-targeted-account-1-1536x783.png 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-7.-Threat-actors-successfully-sent-email-through-the-targeted-account-1-2048x1043.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 7. Threat actors successfully sent email through the targeted account<\/figcaption><\/figure>\n\n\n\n<p>The timeline below summarizes the sequence of events:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"169\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-9.-Cloud-timeline-1-1024x169.png\" alt=\"Attack flow timeline of the threat actors' actions in the cloud environment\" class=\"wp-image-127106\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-9.-Cloud-timeline-1-1024x169.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-9.-Cloud-timeline-1-300x50.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-9.-Cloud-timeline-1-768x127.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-9.-Cloud-timeline-1-1536x254.png 1536w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Figure-9.-Cloud-timeline-1-2048x338.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Figure 8. Cloud attack flow timeline<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"mitigations-for-destructive-attacks\">Mitigations for destructive attacks<\/h2>\n\n\n\n<p>The techniques used by the actors and described in this blog can be mitigated by adopting the following security measures:&nbsp;<\/p>\n\n\n\n<p><strong>Recommendations to secure your on-prem environment<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Refer to Microsoft\u2019s blog&nbsp;<a href=\"https:\/\/www.microsoft.com\/security\/blog\/2022\/05\/09\/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself\/#defending-against-ransomware\">Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself<\/a>&nbsp;for recommendations on building strong credential hygiene and other robust measures to defend against ransomware and human operated attacks.<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/prevent-changes-to-security-settings-with-tamper-protection?view=o365-worldwide\">Enable tamper protection<\/a> \u2013 Tamper protection is a feature in Microsoft Defender for Endpoint that prevents antivirus tampering and misconfiguration by malicious apps and actors. Customers running Intune can <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/manage-tamper-protection-intune?view=o365-worldwide#tamper-protection-for-antivirus-exclusions\">enable DisableLocalAdminMerge to prevent modification of antivirus exclusions via GPO<\/a>.<\/li>\n<\/ul>\n\n\n\n<p><strong>Recommendations to secure your Azure AD environment<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/conditional-access\/overview\">Enable Conditional Access policies<\/a> \u2013 Conditional Access policies are evaluated and enforced every time the user attempts to sign in. Organizations can protect themselves from attacks that leverage stolen credentials by enabling policies such as device compliance or trusted IP address requirements.<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/conditional-access\/concept-continuous-access-evaluation\">Enable continuous access evaluation<\/a> \u2013 Continuous access evaluation (CAE) revokes access in real time when changes in user conditions trigger risks, such as when a user is terminated or moves to an untrusted location.<\/li>\n\n\n\n<li>Search unified audit logs for the <em>SendAs<\/em> operation to identify and track emails sent on behalf of a user mailbox.<\/li>\n\n\n\n<li>Further steps and recommendation to manage, design, and secure your Azure AD environment can be found by referring to <a href=\"https:\/\/learn.microsoft.com\/azure\/security\/fundamentals\/identity-management-best-practices\">Azure Identity Management and access control security best practices<\/a>.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"detections\">Detections<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-365-defender\">Microsoft 365 Defender<\/h3>\n\n\n\n<p>The following alerts in <a href=\"https:\/\/www.microsoft.com\/security\/business\/threat-protection\/microsoft-365-defender\">Microsoft 365 Defender<\/a> can be used to detect suspicious operations in Azure related to the attacker activities described in this blog, including destructive activity:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Access elevation by risky user<\/li>\n\n\n\n<li>Suspicious Azure resource deletions<\/li>\n\n\n\n<li>Suspicious Addition of an Exchange related App Role<\/li>\n<\/ul>\n\n\n\n<p>In addition, the following alert can help detect compromised Azure AD Connect accounts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unusual activities by Azure AD Connect sync account<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-cloud-apps\">Microsoft Defender for Cloud Apps<\/h3>\n\n\n\n<p>For Microsoft Defender for Cloud Apps with <a href=\"https:\/\/learn.microsoft.com\/defender-cloud-apps\/connect-azure\">Azure Connector<\/a> enabled, the following alerts can be used to detect destructive operations in Azure:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multiple storage deletion activities<\/li>\n\n\n\n<li>Multiple delete VM activities<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"azure-ad-identity-protection\">Azure AD Identity Protection<\/h3>\n\n\n\n<p>Monitor medium and high severity alerts for highly privileged accounts as they can indicate malicious activity. For example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unfamiliar sign-in properties<\/li>\n<\/ul>\n\n\n\n<p>Find details of Azure AD Identity Protection alerts <a href=\"https:\/\/learn.microsoft.com\/azure\/active-directory\/identity-protection\/concept-identity-protection-risks#premium-detections\">here<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-identity\">Microsoft Defender for Identity<\/h3>\n\n\n\n<p>The following Microsoft Defender for Identity alerts can indicate associated threat activity:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Suspicious additions to sensitive groups<\/li>\n<\/ul>\n\n\n\n<p>For relevant accounts with Honeytoken configured, the following alert can indicate malicious activity:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Honeytoken activity<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-antivirus\">Microsoft Defender Antivirus<\/h3>\n\n\n\n<p>Microsoft Defender Antivirus detects attempted exploitation and post-exploitation activity and payloads. Turn on cloud-delivered protection to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block most new and unknown threats. Refer to the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/12\/11\/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\/#AV\">list of detection names<\/a> related to exploitation of Log4j 2 vulnerabilities. Detections for the IOCs listed above are listed below:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Backdoor:PHP\/Remoteshell.V<\/li>\n\n\n\n<li>HackTool:Win32\/LSADump<\/li>\n\n\n\n<li>VirTool:Win32\/RemoteExec<\/li>\n\n\n\n<li>Trojan:PowerShell\/Downloader.SB<\/li>\n\n\n\n<li>Trojan:Win32\/Nibtse.G!tsk<\/li>\n\n\n\n<li>Backdoor:ASP\/Shellman.SA<\/li>\n\n\n\n<li>Ransom:Win64\/DarkBit<\/li>\n\n\n\n<li>VirTool:Win32\/AtExecCommand<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-for-endpoint\">Microsoft Defender for Endpoint<\/h3>\n\n\n\n<p>Microsoft Defender for Endpoint alerts with the following titles can indicate possible presence of the indicators of compromise listed below.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Mercury actor activity detected<\/li>\n\n\n\n<li>Ransomware-linked emerging threat actor DEV-1084 detected<\/li>\n<\/ul>\n\n\n\n<p><strong>Reducing the attack surface<\/strong><\/p>\n\n\n\n<p>Microsoft Defender for Endpoint customers can turn on the following attack surface reduction rule to block or audit some observed activity associated with this threat:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Block executable files from running unless they meet a prevalence, age, or trusted list criterion.<\/li>\n\n\n\n<li>Implement <a href=\"https:\/\/support.microsoft.com\/topic\/ransomware-protection-in-windows-security-445039d6-537a-488a-ad53-48906f346363\">controlled folder access<\/a> and add folders to the protected folders list to help prevent files from being altered or encrypted by ransomware. Set controlled folder access to <a href=\"https:\/\/learn.microsoft.com\/microsoft-365\/security\/defender-endpoint\/enable-controlled-folders?view=o365-worldwide\">Enabled<\/a>.<\/li>\n<\/ul>\n\n\n\n<p><strong>Detecting Log4j 2 exploitation<\/strong><\/p>\n\n\n\n<p>Alerts that indicate threat activity related to the exploitation of the Log4j 2 exploitation should be immediately investigated and remediated. Refer to our Log4j related blogs to learn about this vulnerability and for a list of <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/12\/11\/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\/#MDE\">Microsoft Defender for Endpoint alerts<\/a> that can indicate exploitation and exploitation attempts.<\/p>\n\n\n\n<p><strong>Detecting post-exploitation activity<\/strong><\/p>\n\n\n\n<p>Alerts with the following titles may indicate post-exploitation threat activity related to MERCURY activity described in this blog and should be immediately investigated and remediated. These alerts are supported on both Windows and Linux platforms:<\/p>\n\n\n\n<p>Any alert title related to web shell threats, for example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8216;WebShell&#8217; backdoor was prevented on an IIS Web server<\/li>\n<\/ul>\n\n\n\n<p>Any alert title that mentions the DarkBit ransomware threat or DEV-1084, for example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8216;DarkBit\u2019 ransomware was blocked<\/li>\n\n\n\n<li>&#8216;DarkBit\u2019 ransomware was detected<\/li>\n\n\n\n<li>&#8216;DarkBit\u2019 ransomware was prevented<\/li>\n\n\n\n<li>Ransomware-linked emerging threat actor DEV-1084 detected<\/li>\n<\/ul>\n\n\n\n<p>Any alert title that mentions suspicious scheduled task creation or execution, for example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Suspicious scheduled task<\/li>\n<\/ul>\n\n\n\n<p>Any alert title that mentions suspected tunneling activity, for example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Suspicious SSH tunneling activity<\/li>\n<\/ul>\n\n\n\n<p>Any alert title that mentions suspected tampering activity, for example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Suspicious Microsoft Defender Antivirus exclusion<\/li>\n\n\n\n<li>Microsoft Defender Antivirus tampering<\/li>\n<\/ul>\n\n\n\n<p>Any alert title that mentions PowerShell, for example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Suspicious process executed PowerShell command<\/li>\n\n\n\n<li>A malicious PowerShell Cmdlet was invoked on the machine<\/li>\n\n\n\n<li>Suspicious PowerShell command line<\/li>\n\n\n\n<li>Suspicious PowerShell download or encoded command execution<\/li>\n\n\n\n<li>Suspicious remote PowerShell execution<\/li>\n<\/ul>\n\n\n\n<p>Any alert title related to suspicious remote activity, for example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Suspicious RDP session<\/li>\n\n\n\n<li>An active &#8216;RemoteExec&#8217; malware was blocked<\/li>\n\n\n\n<li>Suspicious service registration<\/li>\n<\/ul>\n\n\n\n<p>Any alert related to persistence:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Anomaly detected in ASEP registry<\/li>\n\n\n\n<li>User account created under suspicious circumstances<\/li>\n<\/ul>\n\n\n\n<p>Any alert title that mentions credential dumping activity or tools, for example:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Malicious credential theft tool execution detected<\/li>\n\n\n\n<li>Credential dumping activity observed<\/li>\n\n\n\n<li>Mimikatz credential theft tool<\/li>\n\n\n\n<li>&#8216;DumpLsass&#8217; malware was blocked on a Microsoft SQL server<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-vulnerability-management\">Microsoft Defender Vulnerability Management<\/h3>\n\n\n\n<p>In addition to the mitigations above being presented and managed through Microsoft Defender Vulnerability Management, Microsoft 365 Defender customers can use threat and vulnerability management to identify and remediate devices that are vulnerable to Log4j 2 exploitation. More comprehensive guidance on this capability can be found on this blog: <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/12\/11\/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation\/#TVM-discovery\">Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"advanced-hunting-queries\">Advanced hunting queries <em><\/em><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-365-defender\">Microsoft 365 Defender<\/h3>\n\n\n\n<p>To locate related activity,&nbsp;Microsoft 365&nbsp;Defender customers can run the following advanced hunting queries:<\/p>\n\n\n\n<p>\/\/ Advanced Hunting Query to surface potential Mercury PowerShell script backdoor installation<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">DeviceFileEvents\n| where InitiatingProcessFileName =~ \"powershell.exe\"\n| where FolderPath in~ (@\"c:\\programdata\\db.ps1\", @\"c:\\programdata\\db.sqlite\")\n| summarize min(Timestamp), max(Timestamp) by DeviceId, SHA256, InitiatingProcessParentFileName\n\nDeviceProcessEvents\n| where InitiatingProcessFileName =~ \"powershell.exe\"\n| where InitiatingProcessCommandLine has_cs \"-EP BYPASS -NoP -W h\"\n| summarize makeset(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId\n<\/pre>\n\n\n\n<p>\/\/ Advanced Hunting Query to surface potential Mercury PowerShell script backdoor initiating commands<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">DeviceProcessEvents\n| where InitiatingProcessFileName =~ \"powershell.exe\"\n| where InitiatingProcessCommandLine contains_cs @\"c:\\programdata\\db.ps1\"\n| summarize makeset(ProcessCommandLine), min(Timestamp), max(Timestamp) by DeviceId\n<\/pre>\n\n\n\n<p>\/\/Advanced Hunting Query for Azure resource deletion activity<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">let PrivEscalation = CloudAppEvents \n| where Application == \"Microsoft Azure\"\n| where ActionType == \"ElevateAccess Microsoft.Authorization\"\n| where ActivityObjects has \"Azure Subscription\" and ActivityObjects has \"Azure Resource Group\"\n| extend PrivEscalationTime = Timestamp\n| project AccountObjectId, PrivEscalationTime ,ActionType;\nCloudAppEvents\n| join kind = inner PrivEscalation on AccountObjectId\n| extend DeletionTime = Timestamp\n| where (DeletionTime - PrivEscalationTime) &lt;= 1h\n| where Application == \"Microsoft Azure\"\n| where ActionType has \"Delete\"\n|summarize min(DeletionTime), TotalResourcersDeleted =count(), CountOfDistinctResources= dcount(ActionType), DistinctResources=make_set(ActionType) by AccountObjectId\n<\/pre>\n\n\n\n<p>\/\/AHQ used to detect attacker abusing OAuth application during the attack<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">CloudAppEvents\n    | where Application == \"Office 365\"\n    | where ActionType == \"Consent to application.\"\n    | where RawEventData.ResultStatus =~ \"success\"\n    | extend UserId = tostring(RawEventData.UserId)\n    | mv-expand AdminConsent = RawEventData.ModifiedProperties \n    | where AdminConsent.Name == \"ConsentContext.IsAdminConsent\" and AdminConsent.NewValue == \"True\"\n    | project ConsentTimestamp =Timestamp, UserId, AccountObjectId, ReportId, ActionType\n    | join kind = leftouter (CloudAppEvents  \n        | where Application == \"Office 365\"      \n        | where ActionType == \"Add app role assignment to service principal.\"   \n        | extend PermissionAddedTo = tostring(RawEventData.Target[3].ID)\n        | extend FullAccessPermission = RawEventData.ModifiedProperties \n        | extend OuthAppName = tostring(FullAccessPermission[6].NewValue) \/\/ Find app name\n        | extend OAuthApplicationId = tostring(FullAccessPermission[7].NewValue) \/\/ Find appId\n        | extend AppRoleValue = tostring(FullAccessPermission[1].NewValue) \/\/ Permission Level\n        | where AppRoleValue == \"full_access_as_app\"\n        | project PermissionTime=Timestamp, InitiatingUser=AccountDisplayName, OuthAppName, OAuthApplicationId, AppRoleValue, AccountObjectId, FullAccessPermission\n    ) on AccountObjectId\n<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-sentinel\">Microsoft Sentinel<\/h3>\n\n\n\n<p>Microsoft Sentinel has a range of detection and threat hunting content that customers can use to detect the post exploitation activity detailed in this blog in addition to Microsoft Defender detections list above.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/Azure%20Active%20Directory\/Analytic%20Rules\/ExchangeFullAccessGrantedToApp.yaml\">full_access_as_app Granted To Application<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Hunting%20Queries\/MultipleDataSources\/PotentialSSHTunneltoAADConnectHost.yaml\">Potential SSH Tunnel to AAD Connect Host<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/BehaviorAnalytics\/SuspiciousSigninByAADConnectAccount.yaml\">Suspicious Sign In by AAD Connect Sync Account<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/W3CIISLog\/MaliciousAlertLinkedWebRequests.yaml\">Malicious web application requests linked with Microsoft Defender for Endpoint<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Hunting%20Queries\/W3CIISLog\/WebShellActivity.yaml\">Web Shell Activity<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Hunting%20Queries\/MultipleDataSources\/TrackingPrivAccounts.yaml\">Tracking Privileged Account Rare Activity<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/Azure%20Activity\/Analytic%20Rules\/TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml\">Mass Cloud resource deletions Time Series Anomaly<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Hunting%20Queries\/AuditLogs\/ConsentToApplicationDiscovery.yaml\">Consent to Application discovery<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Hunting%20Queries\/AuditLogs\/AppRequiredResourceAccessUpdate.yaml\">OAuth Application Required Resource Access Update<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/Azure%20Active%20Directory\/Analytic%20Rules\/RareApplicationConsent.yaml\">Rare application consent<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/Azure%20Active%20Directory\/Analytic%20Rules\/CredentialAddedAfterAdminConsent.yaml\">Credential added after admin consented to Application<\/a><a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Solutions\/Azure%20Active%20Directory\/Analytic%20Rules\/NewAppOrServicePrincipalCredential.yaml\">New access credential added to Application or Service Principal<\/a><\/li>\n<\/ul>\n\n\n\n<p>Microsoft Sentinel customers can use the TI Mapping analytic (a series of analytics all prefixed with \u201cTI map\u201d) to automatically match the indicators mentioned in this blog post with data in their workspace. If the TI Map analytics are not currently deployed, customers can install the Threat Intelligence solution from the Microsoft Sentinel Content Hub to have the analytics rule deployed in their Sentinel workspace. More details on the Content Hub can be found here:&nbsp; <a href=\"https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy\">https:\/\/learn.microsoft.com\/azure\/sentinel\/sentinel-solutions-deploy<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise-iocs\">Indicators of compromise (IOCs)<\/h2>\n\n\n\n<p>The below list provides IOCs observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><strong>Indicator<\/strong><\/td><td><strong>Type<\/strong><\/td><td><strong>Description<\/strong><\/td><\/tr><tr><td>9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff<\/td><td>DEV-1084 ransom payload<\/td><td>8thCurse.exe<\/td><\/tr><tr><td>80bd00c0f6d5e39b542ee6e9b67b1eef97b2dbc6ec6cae87bf5148f1cf18c260<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>8dd9773c24703e803903e7a5faa088c2df9a4b509549e768f29276ef86ef96ae<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>486eb80171c086f4d184423ed7e79303ad7276834e5e5529b199f8ae5fc661f2<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>f1edff0fb16a64ac5a2ce64579d0d76920c37a0fd183d4c19219ca990f50effc<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>887ae654d69ac5ccb8835e565a449d7716d6c4747dc2fbff1f59f11723244202<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>3fba459d589cd513d2478fb4ae7c4efd6aa09e62bc3ff249a19f9a233e922061<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>0dde13e3cd2dcda522eeb565b6374c97b3ed4aa6b8ed9ff9b6224ea97bf2a584<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>afd16b9ad57eb9c26c8ae347c379c8e2b82361c7bdff5b189659674d5614854c<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>3e59d36faf2d5e6edf1d881e2043a46055c63b7c68cc08d44cc7fc1b364157eb<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>786bd97172ec0cef88f6ea08e3cb482fd15cf28ab22d37792e3a86fa3c27c975<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>36c71ce7cd38733eb66f32a8c56acd635680197f01585c5a2a846cc3cb0a8fe2<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>016967de76382c674b3a1cb912eb85ff642b2ebfe4e107fc576065f172c6ef80<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>3059844c102595172bb7f644c9a70d77a198a11f1e84539792408b1f19954e18<\/td><td>DEV-1084 batch script<\/td><td><\/td><\/tr><tr><td>194.61.121[.]86<\/td><td>Command and control<\/td><td><\/td><\/tr><tr><td>hxxps:\/\/pairing[.]rport[.]io\/qMLc2Wx<\/td><td>Download Rport software from it<\/td><td><\/td><\/tr><tr><td>141.95.22[.]153<\/td><td>Command and control<\/td><td><\/td><\/tr><tr><td>193.200[.]16.3<\/td><td>Command and control<\/td><td><\/td><\/tr><tr><td>192.52.166[.]191<\/td><td>Command and control<\/td><td><\/td><\/tr><tr><td>45.56.162[.]111<\/td><td>Command and control<\/td><td><\/td><\/tr><tr><td>104.194.222[.]219<\/td><td>Command and control<\/td><td><\/td><\/tr><tr><td>192.169.6[.]88<\/td><td>Command and control<\/td><td><\/td><\/tr><tr><td>192.52.167[.]209<\/td><td>Command and control<\/td><td><\/td><\/tr><tr><td>webstore4tech[.]uaenorth.cloudapp.azure[.]com<\/td><td>Command and control<\/td><td><\/td><\/tr><tr><td>vatacloud[.]com<\/td><td>Actor-owned Rport domain<\/td><td><\/td><\/tr><tr><td>146.70.106[.]89<\/td><td>DEV-1084 operators were observed sending threatening emails to the victim after the attack from 146.70.106[.]89, an IP address previously linked to MERCURY<\/td><td><\/td><\/tr><tr><td>b9cf785b81778e2b805752c7b839737416e3af54f64f1e40e008142e382df0c4<\/td><td>Rport Legit remote access tool<\/td><td>rport.exe<\/td><\/tr><tr><td>ab179112caadaf138241c43c4a4dccc2e3c67aeb96a151e432cfbafa18a4b436<\/td><td>Customized Ligolo tunneling tool<\/td><td><\/td><\/tr><tr><td>46.249.35[.]243<\/td><td>Command and control<\/td><td><\/td><\/tr><tr><td>45.86.230[.]20<\/td><td>Command and control<\/td><td><\/td><\/tr><tr><td>6485a68ba1d335d16a1d158976e0cbfad7ab15b51de00c381d240e8b0c479f77<\/td><td>db.ps1 Customized Script Backdoor<\/td><td><\/td><\/tr><tr><td>b155c5b3a8f4c89ba74c5c5c03d029e4202510d0cbb5e152995ab91e6809bcd7<\/td><td>db.sqlite Customized Obfuscated Script Backdoor<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>NOTE:<\/strong> These indicators should not be considered exhaustive for this observed activity.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"microsoft-defender-threat-intelligence\">Microsoft Defender Threat Intelligence<\/h3>\n\n\n\n<p>Community members and customers can find summary information and all IOCs from this blog post in the linked <a href=\"https:\/\/ti.defender.microsoft.com\/articles\/20f3aba0\">Microsoft Defender Threat Intelligence article<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"references\">References<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.cybercom.mil\/Media\/News\/Article\/2897570\/iranian-intel-cyber-suite-of-malware-uses-open-source-tools\/\">https:\/\/www.cybercom.mil\/Media\/News\/Article\/2897570\/iranian-intel-cyber-suite-of-malware-uses-open-source-tools\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/ehorus.com\/\">https:\/\/ehorus.com\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/nicocha30\/ligolo-ng\">https:\/\/github.com\/nicocha30\/ligolo-ng<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.openssh.com\/\">https:\/\/www.openssh.com\/<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/github.com\/Gerenios\/AADInternals\/blob\/master\/AADSyncSettings.ps1#L97\">https:\/\/github.com\/Gerenios\/AADInternals\/blob\/master\/AADSyncSettings.ps1#L97<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Microsoft detected a unique operation where threat actors carried out destructive actions in both on-premises and cloud environments. <\/p>\n","protected":false},"author":153,"featured_media":127107,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"content-type":[3663],"topic":[3687],"products":[],"threat-intelligence":[3738],"tags":[3896,3898,3784,3802,3922,3924],"coauthors":[3380],"class_list":["post-127091","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-research","topic-threat-intelligence","threat-intelligence-threat-actors","tag-credential-theft","tag-elevation-of-privilege","tag-log4j","tag-ransomware","tag-sandstorm","tag-storm","review-flag-1694638272-264","review-flag-1694638264-948","review-flag-1694638265-576","review-flag-1-1694638265-354","review-flag-2-1694638266-864","review-flag-3-1694638266-241","review-flag-4-1694638266-512","review-flag-5-1694638266-171","review-flag-6-1694638266-691","review-flag-7-1694638266-851","review-flag-8-1694638266-352","review-flag-alway-1694638263-571","review-flag-and-o-1694638265-458","review-flag-lever-1694638263-909","review-flag-machi-1694638272-641","review-flag-new-1694638263-340","review-flag-on-pr-1694638271-947","review-flag-partn-1694638263-597","review-flag-vm-1694638271-244"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>MERCURY and DEV-1084: Destructive attack on hybrid environment | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"Microsoft has detected destructive operations enabled by MERCURY and Storm-1084 that attacked both on-premises and cloud environments.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MERCURY and DEV-1084: Destructive attack on hybrid environment | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"Microsoft has detected destructive operations enabled by MERCURY and Storm-1084 that attacked both on-premises and cloud environments.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-04-07T16:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-03T15:10:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MSC19_singaporeScenics_004.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"801\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Microsoft Threat Intelligence\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Twitter-image.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Threat Intelligence\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Threat Intelligence\"}],\"headline\":\"MERCURY and DEV-1084: Destructive attack on hybrid environment\",\"datePublished\":\"2023-04-07T16:00:00+00:00\",\"dateModified\":\"2024-07-03T15:10:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/\"},\"wordCount\":3704,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MSC19_singaporeScenics_004.jpg\",\"keywords\":[\"Credential theft\",\"Elevation of privilege\",\"Log4j\",\"Ransomware\",\"Sandstorm\",\"Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/\",\"name\":\"MERCURY and DEV-1084: Destructive attack on hybrid environment | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MSC19_singaporeScenics_004.jpg\",\"datePublished\":\"2023-04-07T16:00:00+00:00\",\"dateModified\":\"2024-07-03T15:10:14+00:00\",\"description\":\"Microsoft has detected destructive operations enabled by MERCURY and Storm-1084 that attacked both on-premises and cloud environments.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MSC19_singaporeScenics_004.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MSC19_singaporeScenics_004.jpg\",\"width\":1200,\"height\":801,\"caption\":\"a long bridge over a body of water with a city in the background\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MERCURY and DEV-1084: Destructive attack on hybrid environment\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MERCURY and DEV-1084: Destructive attack on hybrid environment | Microsoft Security Blog","description":"Microsoft has detected destructive operations enabled by MERCURY and Storm-1084 that attacked both on-premises and cloud environments.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/","og_locale":"en_US","og_type":"article","og_title":"MERCURY and DEV-1084: Destructive attack on hybrid environment | Microsoft Security Blog","og_description":"Microsoft has detected destructive operations enabled by MERCURY and Storm-1084 that attacked both on-premises and cloud environments.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/","og_site_name":"Microsoft Security Blog","article_published_time":"2023-04-07T16:00:00+00:00","article_modified_time":"2024-07-03T15:10:14+00:00","og_image":[{"width":1200,"height":801,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MSC19_singaporeScenics_004.jpg","type":"image\/jpeg"}],"author":"Microsoft Threat Intelligence","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/Twitter-image.png","twitter_misc":{"Written by":"Microsoft Threat Intelligence","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/microsoft-security-threat-intelligence\/","@type":"Person","@name":"Microsoft Threat Intelligence"}],"headline":"MERCURY and DEV-1084: Destructive attack on hybrid environment","datePublished":"2023-04-07T16:00:00+00:00","dateModified":"2024-07-03T15:10:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/"},"wordCount":3704,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MSC19_singaporeScenics_004.jpg","keywords":["Credential theft","Elevation of privilege","Log4j","Ransomware","Sandstorm","Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/","name":"MERCURY and DEV-1084: Destructive attack on hybrid environment | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MSC19_singaporeScenics_004.jpg","datePublished":"2023-04-07T16:00:00+00:00","dateModified":"2024-07-03T15:10:14+00:00","description":"Microsoft has detected destructive operations enabled by MERCURY and Storm-1084 that attacked both on-premises and cloud environments.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MSC19_singaporeScenics_004.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/04\/MSC19_singaporeScenics_004.jpg","width":1200,"height":801,"caption":"a long bridge over a body of water with a city in the background"},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2023\/04\/07\/mercury-and-dev-1084-destructive-attack-on-hybrid-environment\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"MERCURY and DEV-1084: Destructive attack on hybrid environment"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/127091","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/153"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=127091"}],"version-history":[{"count":2,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/127091\/revisions"}],"predecessor-version":[{"id":134930,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/127091\/revisions\/134930"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/127107"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=127091"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=127091"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=127091"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=127091"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=127091"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=127091"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=127091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}