A threat actor commonly known as Mint Sandstorm and Phosphorus has been identified as weaponizing N-day vulnerabilities. The group ha associated with the Iranian government, as well as APT35, APT42 and Charming Kitten. Microsoft released a report earlier this week highlighting the group’s new techniques that are designed to launch campaigns that align with Iran’s national priorities. Microsoft states that, in 2022, the threat actor switched its attack methods from reconnaissance to direct attacks on US critical infrastructure entities such as transit systems, energy companies, seaports, and more.
Mind Sandstorm has also adopted the usage of publicly disclosed proof-of-concept code to exploit flaws. Microsoft says that, until recently, the group has not focused on adopting exploits for recently disclosed vulnerabilities. As of late, the group has begun to use two custom .NET implants to achieve persistence during attacks. Microsoft believes that the new intrusions attributed to the group are concerning to security researchers for a variety of reasons, including that they allow Mint Sandstorm operators to conceal C2 communication, persist in compromised systems, and deploy post-compromise tools.
Read More: Iranian Nation-State Actor “Mint Sandstorm” Weaponizes N-day Flaws