Handala Hack (also tracked as Void Manticore, COBALT MYSTIQUE, Storm-1084/Storm-0842) is being linked to destructive wiper operations that have targeted organizations in Israel and the US, with primary vectors including identity exploitation via phishing and administrative misuse of Microsoft Intune. Unit 42 and other intelligence sources recommend immediate hardening of privileged identity, Intune-specific controls, session/token protections, and preparedness actions such as immutable backups and MDR/XDR monitoring to mitigate the increased wiper risk related to the Iran conflict. #HandalaHack #MicrosoftIntune
Keypoints
- Handala Hack (aka Void Manticore, COBALT MYSTIQUE, Storm-1084/Storm-0842) is assessed as a state-directed front for Iran’s MOIS and has been linked to destructive operations since late 2023.
- Primary attack vectors reported include identity exploitation via phishing and misuse of administrative access in Microsoft Intune to perform destructive actions such as mass wipes.
- Israel’s National Cyber Directorate reported incidents where attackers gained access to corporate networks and deleted servers and workstations, often using legitimate user credentials.
- Immediate defensive recommendations include eliminating standing privileges, implementing just-in-time (JIT) access, and using Entra PIM or CyberArk PAM to protect administrative credentials.
- Azure/Intune-specific controls advised include RBAC, PIM for Groups, conditional access for elevation, FIDO2/WIN Hello requirement for high-risk actions, and using Secure Administrative Workstations (PAWs/SAWs).
- Session and token protections (short session lifetimes, Entra Token Protection) and monitoring of RemoteWipe/FactoryReset events in SIEM/XDR with automated lockouts are recommended to limit impact from stolen sessions.
- Operational readiness steps include immutable offline backups, DLP and DSPM for sensitive data, phishing/tabletop exercises, and contacting Unit 42 Incident Response if compromised.
MITRE Techniques
- [T1566 ] Phishing – Used to exploit identity and gain initial access (‘the exploitation of identity through phishing and administrative access through Microsoft Intune.’)
- [T1078 ] Valid Accounts – Attackers used legitimate credentials and administrative access in Intune to perform destructive actions (‘administrative access through Microsoft Intune’).
- [T1485 ] Data Destruction – Wiper activity resulted in deletion of servers and workstations to disrupt operations (‘the attacker gained access to corporate networks and deleted servers and workstations, with the aim of disrupting the operations of the attacked organizations.’)
- [T1098 ] Account Manipulation – Persistent standing privileges and abuse of always-on administrative rights were highlighted as enabling rapid destructive impact (‘Persistent administrative rights are the single greatest risk factor in modern identity attacks.’)
Indicators of Compromise
- [Actor Names ] Threat actor aliases mentioned – Handala Hack, Void Manticore (aka COBALT MYSTIQUE, Storm-1084/Storm-0842)
- [Account Names ] Example administrative account pattern referenced for cloud-only admins – [email protected]
- [Log/Event Names ] Intune device management actions called out for monitoring – RemoteWipe, FactoryReset
- [Organizations/Victims ] Reported affected or reporting organizations – Israel’s National Cyber Directorate, Unit 42
- [Contact Numbers ] Unit 42 IR contact numbers provided for incident response – +1 (866) 486-4842, +44.20.3743.3660
Read more: https://unit42.paloaltonetworks.com/handala-hack-wiper-attacks/