{"id":91605,"date":"2020-09-10T11:45:52","date_gmt":"2020-09-10T18:45:52","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=91605"},"modified":"2024-03-28T11:07:49","modified_gmt":"2024-03-28T18:07:49","slug":"strontium-detecting-new-patters-credential-harvesting","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/09\/10\/strontium-detecting-new-patters-credential-harvesting\/","title":{"rendered":"STRONTIUM: Detecting new patterns in credential harvesting"},"content":{"rendered":"\n

Microsoft has tied STRONTIUM to a newly uncovered pattern of Office365 credential harvesting activity aimed at US and UK organizations directly involved in political elections. Analysts from Microsoft Threat Intelligence Center (MSTIC) and Microsoft Identity Security have been tracking this new activity since April 2020. Credential harvesting is a known tactic used by STRONTIUM to obtain valid credentials that enable future surveillance or intrusion operations. Subsequent analysis revealed that between September 2019 and June 2020, STRONTIUM launched credential harvesting attacks against tens of thousands of accounts at more than 200 organizations. In the two weeks between August 18 and September 3, the same attacks targeted 6,912 accounts belonging to 28 organizations. None of these accounts were successfully compromised.<\/p>\n\n\n\n

Not all the targeted organizations were election-related. However, we felt it important to highlight a potential emerging threat to the 2020 US Presidential Election and future electoral contests in the UK.<\/p>\n\n\n\n

Microsoft CVP Customer Security and Trust, Tom Burt provided some additional details on this campaign in his recent On The Issues<\/em> blog post<\/a>. The purpose of this post is to provide defenders in any organization, but especially those directly or indirectly affiliated with electoral systems, insight into the technical nature of this activity. By providing these details, we hope to enable better defense against future attacks and share best practices for securing cloud environments against this type of activity.<\/p>\n\n\n\n

Tactical Details<\/h2>\n\n\n\n

STRONTIUM relied heavily upon spear phishing in its credential harvesting efforts leading up to the 2016 US presidential election. In 2016, spear-phishing was the most common tactic for stealing credentials from targeted accounts. This time around, STRONTIUM appears to be taking a different approach, namely, brute-force\/password-spray tooling. This shift in tactics, also made by several other nation-state actors<\/a>, allows them to execute large-scale credential harvesting operations in a more anonymized manner. The tooling STRONTIUM is using routes its authentication attempts through a pool of approximately 1,100 IPs, the majority associated with the Tor anonymizing service. This pool of infrastructure has evolved over time, with an average of approximately 20 IPs added and removed from it per day. STRONTIUM\u2019s tooling alternates its authentication attempts amongst this pool of IPs approximately once per second. Considering the breadth and speed of this technique, it seems likely that STRONTIUM has adapted its tooling to use an anonymizer service to obfuscate its activity, evade tracking, and avoid attribution.<\/p>\n\n\n\n

During the two-week period, August 19 \u2013 September 3, STRONTIUM\u2019s credential harvesting tooling utilized a daily average of 1,294 IPs associated with 536 netblocks and 273 ASNs. Of these netblocks, some were much more heavily utilized by the tooling than others, both in terms of the total number of authentications attempted from them and the total number of IPs utilized within them. Figure 1 below represents the 5 netblocks from which the highest number of total auth attempts were observed. As highlighted in the table, several of these netblocks had much higher IP utilization rates than the rest. This observed behavior indicates that the underlying anonymization services providing the infrastructure backbone for STRONTIUM auth attempts are, in a sense, over-serving IPs in these specific netblocks.<\/p>\n\n\n\n

\"Highest<\/figure>\n\n\n\n

Figure 1: Highest volume netblocks used in STRONTIUM auth attempts.
<\/em><\/p>\n\n\n\n

The fact that the anonymization service is over-serving specific netblocks gives defenders an opportunity to hunt for activity associated both with this STRONTIUM activity or other malicious tooling that is utilizing the same anonymization service. The following Azure Sentinel query (GitHub link<\/a>) is designed to identify failed authentication attempts from the three highest-signal, highest-utilization netblocks highlighted above, and group the results by UserAgent.<\/p>\n\n\n\n

\"Code\"<\/figure>\n\n\n\n

Microsoft Threat Protection (MTP) also provides a platform for users to identify failed authentication attempts. The following query will give MTP users the ability to hunt and address these threats as well:<\/p>\n\n\n\n

\"AnMSTIC has observed that the STRONTIUM tooling operates in two modes when targeting accounts: brute-force and password-spray.<\/p>\n\n\n\n

In password-spray mode<\/strong>, the tooling attempts username: password combinations in a \u2018low-\u2018n-slow\u2019 manner. Organizations targeted by the tooling running in this mode typically see approximately four authentication attempts per hour per targeted account over the course of several days or weeks, with nearly every attempt originating from a different IP address.<\/p>\n\n\n\n

In brute-force mode<\/strong>, the tooling attempts many username: password attempts very rapidly for a much shorter time period. Organizations targeted by the tooling running in this mode typically see over 300 authentication attempts per hour per targeted account over the course of several hours or days.<\/p>\n\n\n\n

Tooling Operating Mode<\/strong><\/td>Avg ## of Attempts Per Account Per Hour<\/strong><\/td>Avg # Of IPs Utilized for Auth Attempts Per Account Per Hour <\/strong><\/td>Avg Length of Attack<\/strong><\/td><\/tr>
Password-Spray<\/td>4<\/td>4<\/td>Days-Weeks<\/td><\/tr>
Brute-Force<\/td>335<\/td>200<\/td>Hours-Days<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Organizations targeted by STRONTIUM using this tooling saw auth attempts against an average of 20% of their total accounts. In some instances, MSTIC assesses the tooling may have discovered these accounts simply by attempting authentications against a large number of possible account names until it found ones that were valid.<\/p>\n\n\n\n

Guidance: Proactive defense <\/strong><\/h2>\n\n\n\n

There are some very simple steps businesses and targeted individuals can take to significantly improve the security of their accounts and make these types of attacks much more difficult.<\/p>\n\n\n\n

1. Enable multi-factor authentication<\/strong><\/p>\n\n\n\n

We have seen clear proof that enabling multi-factor authentication (MFA) across both business and personal email accounts successfully thwarts the majority of credential harvesting attacks. Our colleagues in Azure Active Directory put it more precisely\u2014<\/p>\n\n\n\n

\n

\u201c\u2026 doing any form of MFA takes you out of reach of most attacks. MFA (using any mechanism) is just too costly to break – unless a highly motivated attacker is after that<\/em> high-value account or asset.\u201d<\/p>\n\n\n\n