Mercury Attack: How an Iranian State-Backed Hacker Group Destroyed Microsoft AF’s On-Premises and Azure Resources

Sai Prashanth

The article written by Paul Robichaux for Practical365.com describes a new attack that exploits Azure AD Connect to compromise both on-premises and cloud environments. Azure AD Connect is a tool that synchronizes on-premises Active Directory with Azure Active Directory, enabling users to access both resources with the same credentials. The attackers, identified as an Iranian threat actor named MERCURY and another group called DEV-1084, exploited a vulnerability in Azure AD Connect that allowed them to run arbitrary commands on the server hosting the tool. They then used these commands to create highly privileged accounts and access tokens that gave them access to both environments.

The article explains how the attackers performed two different types of destructive actions: one on-premises and one in the cloud. On-premises, they used group policy objects (GPOs) to interfere with security tools and register a scheduled task that ran ransomware on domain controllers and other servers. They also used the NETLOGON shares on domain controllers to distribute ransomware to other devices on the network. The ransomware encrypted the files and displayed a message claiming to be from a ransomware group called DarkBit, demanding payment for decryption.

In the cloud, the attackers used Azure PowerShell commands to destroy various resources, such as server farms, virtual machines, storage accounts, and virtual networks. They also used Azure SendGrid to send emails to internal and external recipients, pretending to be from DarkBit and demanding payment for restoring the cloud resources. The article notes that the attackers did not provide any means of contacting them or paying the ransom, indicating that their goal was not extortion but destruction and disruption.

To protect your hybrid environment from such attacks, you need to follow some best practices, such as:

  • Patching your Azure AD Connect regularly and applying security updates
  • Enabling multi-factor authentication for all accounts, especially privileged ones
  • Monitoring your network activity and logs for anomalies and suspicious behavior
  • Securing your Azure AD Connect configuration and permissions
  • Using Microsoft security tools and services to detect and respond to threats.

Source: Robichaux, P. (2023, April 10). Microsoft Reports New Attack Using Azure AD Connect. Practical365.com. https://practical365.com/mercury-attack-april-2023/