Advanced persistent threat (APT) group dubbed Mint Sandstorm has mastered the ability to pounce on proof-of-concept (PoC) vulnerabilities, before organizations can apply patches, and strike.
According to Microsoft, the APT Mint Sandstorm is backed by the Iranian government and is a composite of several subgroups associated with an intelligence arm of Iran’s Revolutionary Guard Corps. Researchers add that Mint Sandstorm (also known as Phosphorus) specializes in hacking into and stealing sensitive information from high-value targets.
The subgroup moved from reconnaissance to directly targeting critical infrastructure in the United States, including seaports, energy companies, transit systems and “a major U.S. utility and gas entity potentially in support of retaliatory destructive cyberattacks,” researchers said. Attacks began late 2021 and continued through mid-2022 and have steadily increased in pace and scope since then.
Until this year, Microsoft said the subgroup was slow to adopt recently disclosed vulnerabilities. But beginning in 2023, Mint Sandstorm began to quickly incorporate public PoCs into its arsenal. Examples include CVE-2022-479666, a flaw in Zoho ManageEngine that a PoC was created for on Jan. 19. On the same day the PoC became public, Mint Sandstorm began rolling out attacks. Additionally, the group exploited CVE-2022-47986 in Aspera Faspex within five days of the PoC becoming publicly known on Feb. 2.
The Microsoft researchers noted that while the group rapidly incorporates new PoCs into their playbooks, Mint Sandstorm continues to exploit older vulnerabilities, such as Log4Shell, on unpatched devices.
Phil Neray, vice president of cyber defense strategy at CardinalOps, noted that the Cybersecurity and Infrastructure Security Agency said adversaries often develop exploits within 48 hours of a vendor update being released, knowing that it can take an average of 60 days to test and deploy patches at large organizations.
Cybersecurity professionals said they weren’t surprised at learning how quickly the Iranian nation-state actors were exploiting PoCs.
“[Microsoft's] recommendations are also solid,” said Mike Parkin, a senior technical engineer with Vulcan Cyber. “But ‘patch and harden’ are what cybersecurity professionals have always recommended. We just wish people would listen and do it.”
Microsoft debuts new naming conventions for APTs
The name Mint Sandstorm is part of Microsoft's new naming taxonomy for threat actors.
The new naming convention attribute a “family name” for nation-states that incorporates a weather event — the Sandstorm designation is for believed Iranian threat groups, for example, and suspected Russian threat groups will be described with “Blizzard” family names. Suspected North Korean groups will be designated as “Sleet” and APTs with believed ties to China will be labeled “Typhoon."