Iranian state actors carried out password spraying attacks against thousands of organizations around the world between February and July 2023, new findings from Microsoft reveal.
The tech giant, which tracks the business under the name Peach Sandstorm (formerly Holmium), said the adversary was pursuing organizations in the satellite, defense, and pharmaceutical industries to facilitate intelligence collection in support of Iranian state interests.
If an account’s authentication is successful, the threat actor has been observed using a combination of publicly available and custom tools for discovery, persistence, and lateral movement, followed by data exfiltration in cases boundaries.
Peach Sandstorm, also known as APT33, Elfin and Refined Kitten, has been associated with spear-phishing attacks against the aerospace and energy industries in the past, some of which involved the use of METAMORPHOSE wiper malware. He is said to have been active since at least 2013.
“In the initial phase of this campaign, Peach Sandstorm conducted password spraying campaigns against thousands of organizations across multiple industries and geographies,” the Microsoft Threat Intelligence team said. saidnoting that some activity is opportunistic.
Password spraying refers to a technique in which a malicious actor attempts to authenticate to many different accounts using a single password or a list of commonly used passwords. This is different from brute force attacks in which a single account is targeted with many combinations of credentials.
“The activity observed during this campaign was consistent with the Iranian way of life, particularly in late May and June, where activity occurred almost exclusively between 9:00 a.m. and 5:00 p.m. Iran Standard Time (IRST),” added Microsoft.
Intrusions are characterized by the use of open source red team tools such as Azure Doga Golang binary to perform recognition, and ROAD Tools to access data in a target’s cloud environment. The attacks were further observed using Azure Arc to establish persistence by connecting to an Azure subscription controlled by the threat actor.
Alternative attack chains mounted by Peach Sandstorm involved exploiting security vulnerabilities in Atlassian Confluence (CVE-2022-26134) or Zoho ManageEngine (CVE-2022-47966) to gain initial access.
Identity is the New Endpoint: Mastering SaaS Security in the Modern Age
Dive into the future of SaaS security with Maor Bin, CEO of Adaptive Shield. Find out why identity is the new endpoint. Reserve your place now.
Some other notable aspects of post-compromise activity include the deployment of remote monitoring and management tool AnyDesk to maintain access, EagleRelay to redirect traffic to their infrastructure, and the exploitation of Golden SAML attack techniques for lateral movement.
“Peach Sandstorm also created new Azure subscriptions and leveraged the access provided by those subscriptions to carry out additional attacks in other organizations’ environments,” Microsoft said.
“As Peach Sandstorm develops and uses more and more new capabilities, organizations must develop corresponding defenses to strengthen their attack surfaces and increase the costs of these attacks.”