Microsoft Threat Intelligence Center (MSTIC) has successfully identified and disabled an attack orchestrated by a Lebanon-based activity group called Polonium.
The group was abusing Microsoft’s file hosting service, OneDrive, to target private and government organizations in Israel. Based on its tools and techniques, it seems that Polonium is affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
“Polonium has targeted or compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months,” explains MSTIC.
The good news is that all legitimate OneDrive accounts are completely safe because the attack didn’t involve any security issues or vulnerabilities. Instead, Polonium used the file hosting service for command and control to execute part of their attack operation.
Polonium’s targets include primarily organizations in critical manufacturing, IT, and defense industry. “In at least one case, Polonium’s compromise of an IT company was used to target a downstream aviation company and law firm in a supply chain attack that relied on service provider credentials to gain access to the targeted networks.”
MSTIC is still actively investigating how Polonium gained initial access to many of their victims, but it knows that most victims were running Fortinet appliances. Based on this fact, MSTIC suspects that the CVE-2018-13379 vulnerability was used to gain access inside the targeted organizations.
While the threat has been contained, there are certain actions MSTIC recommends all organizations to take to protect themselves, such as confirming that Microsoft Defender Antivirus is updated, enabling multi-factor authentication (MFA), and blocking in-bound traffic from specific IP addresses.
This isn’t the first instance of threat actors using OneDrive and other similar file hosting services to achieve their nefarious goals. Last year, for example, Microsoft discovered that OneDrive was used to host malware files commonly used to launch Conti ransomware attacks.
Cisco Unveils Strategic Vision For Enterprise Cloud Security In MENA
At the heart of this vision is Cisco Security Cloud, a global, cloud-delivered, integrated platform for end-to-end security across hybrid multi-cloud environments.
The global pandemic has accelerated cloud adoption by forcing companies to embrace the hybrid work model. But as companies move more and more of their information technology systems to the cloud, they discover that traditional security measures become less and less effective. To help cloud adopters of all sizes overcome the challenges associated with enterprise cloud security, Cisco has unveiled its new strategic vision for the MENA region.
At the heart of this vision is Cisco Security Cloud, a global, cloud-delivered, integrated platform for end-to-end security across hybrid multi-cloud environments. The platform unifies the management and policy administration of public and private clouds to protect users, devices, networks, applications, and data.
“With the complexity of hybrid work, continued acceleration of cloud adoption, and the ever-advancing threat landscape, organizations are looking for a trusted partner to help them achieve security resilience,” said Jeetu Patel, Executive Vice President and General Manager of Security and Collaboration at Cisco. “We believe Cisco is uniquely positioned due to its scale, breadth of solutions and cloud-neutral business model to meet their needs.”
Cisco Security Cloud is based on the zero trust security model, which, as its name implies, describes an approach to security where no access request is trusted without verification regardless of where it comes from.
To make the verification process as robust and user-friendly and possible, the necessary identity checks take place in the background, allowing users to focus on their work without being constantly interrupted by log-in prompts and other identity verification mechanisms.
Cisco is also building session trust analysis using OpenID Foundation’s Shared Signals and Events standards, which allow cloud services to instantly communicate security alerts and status changes of users.
These and other parts of Cisco’s new strategic vision for enterprise cloud security should help companies accelerate their cloud adoption initiatives. According to a survey of IT professionals in the Middle East, a lack of cybersecurity is among the main reasons why such initiatives proceed at a slow pace.