The Iranian government-affiliated APT group MERCURY, also known as MuddyWater, has been linked to recent destructive attacks targeting organizations with hybrid Microsoft Azure environments. The attacks, disguised as a ransomware operation called DarkBit, have caused significant data loss and service disruption. Microsoft researchers discovered strong connections between the DEV-1084 malicious activity cluster and the known Iranian APT group.
MERCURY gains access to targets by remotely exploiting unpatched internet-facing devices, subsequently handing off access to DEV-1084. The attackers identify vulnerable servers and web applications, exploiting them to plant web shells, create local user accounts, elevate privileges, and establish persistence. This foothold enables them to steal Active Directory credentials, deploy remote access tools, and execute extensive network discovery and lateral movement.
In hybrid Windows domain environments combining local AD with Azure AD, the attackers attempt to infiltrate the cloud infrastructure. Microsoft observed the attackers abusing high-privileged accounts created by the Azure AD Connect agent, compromising the agent’s hosting system, and setting up an SSH tunnel. Using AADInternals tools, they extract plaintext credentials for the Azure AD Connector account and the AD DS Connector account.
The attackers have caused significant destruction within the Azure environment, deleting server farms, virtual machines, storage accounts, and virtual networks. Furthermore, they have accessed mailboxes, issued new certificates for token authentication, and impersonated high-ranking employees via email. Microsoft recommends following Azure Identity Management and access control security best practices, enabling Conditional Access, and implementing continuous access evaluation (CAE) policies.
By enabling Conditional Access and continuous access evaluation (CAE) policies, companies can bolster their security measures. Conditional Access enforces device compliance and trusted IP requirements for account access, complementing MFA, while CAE continuously assesses user condition changes that may pose security risks.