Some tactical TTP details are shared for PHOSPHORUS/Magic Hound (MITRE: G0059)
MSTIC CyberWarCon Research on Iranian Threat Actor Groups
Microsoft Threat Intelligence Center (MSTIC), shared research involving six Iranian threat actor groups DEV-0146, RABIDIUM, DEV-0227, PHOSPHORUS, DEV-0198, and DEV-0500. These groups have conducted ransomware attacks in waves, averaging intervals of six to eight weeks, with activity since September 2020. Some tactical TTP details were shared for PHOSPHORUS/Magic Hound (MITRE: G0059), starting with exploiting vulnerabilities associated with Fortinet FortiOS SSL VPN and Exchange Servers, following initial access and attack path follows up with lateral movement, credential access, and lastly deploying the ransomware. Additional strategic details are shared for groups CURIUM and DEV-0343, such as the CURIUM social engineering tactics, DEV-0343 brute-forcing Office365, and operating hours that follow the Iranian working schedule.