Iranian Nation-State Actor "Mint Sandstorm" Weaponizes N-day Flaws

Written by

A threat actor associated with Iranian nation-state hackers has been weaponizing N-day vulnerabilities, as well as deploying new techniques to access environments of interest.

The threat actor is a sub-group of Mint Sandstorm – a gang also known as Phosphorus and associated with APT35, APT42, Charming Kitten and TA453 – reported an advisory published by Microsoft on Tuesday.

Read more about Phosphorus here: Iran Spear-Phishers Hijack Email Conversations in New Campaign

“This Mint Sandstorm subgroup is technically and operationally mature, capable of developing bespoke tooling and quickly weaponizing N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to align with Iran’s national priorities,” Microsoft wrote.

The tech giant explained that, between late 2021 and mid 2022, the threat actor switched from reconnaissance to direct attacks on US critical infrastructure, which included seaports, energy companies, transit systems and a large US utility and gas entity.

Among the techniques used by the Mint Sandstorm subgroup is the adoption of publicly disclosed proof-of-concept (POC) code to exploit flaws in internet-facing applications. 

“Until 2023, this subgroup had been slow to adopt exploits for recently-disclosed vulnerabilities with publicly reported POCs,” reads the advisory. “However, beginning in early 2023, Microsoft observed a notable decrease in the time required for this subgroup to adopt and incorporate public POCs.”

Further, since 2022, the subgroup has started using two custom .NET implants (dubbed Drokbk and Soldier) to achieve persistence on victim machines and download additional tools.

“Microsoft has also observed this Mint Sandstorm subgroup using a distinct attack chain involving low-volume phishing campaigns and a third custom implant,” the company explained.

Microsoft added that the new intrusions attributed to the group are concerning as they allow operators to conceal C2 communication, as well as persist in a compromised system, and deploy several post-compromise tools with different capabilities.

“A successful intrusion creates liabilities and may harm an organization’s reputation, especially those responsible for delivering services to others such as critical infrastructure providers, which Mint Sandstorm has targeted in the past.”

Microsoft recommended a series of mitigation guidelines to protect against this Mint Sandstorm subgroup, including hardening internet-facing assets and reducing the attack surface via rules included in the advisory.

Its publication comes weeks after Secureworks disclosed information about a new Iranian state-backed cyber-espionage campaign aimed at rooting out female human rights activists.

What’s hot on Infosecurity Magazine?