Iranian nation-state actors have been conducting password spray attacks against thousands of organizations globally between February and July 2023, new findings from Microsoft reveal.
The tech giant, which is tracking the activity under the name Peach Sandstorm (formerly Holmium), said the adversary pursued organizations in the satellite, defense, and pharmaceutical sectors to likely facilitate intelligence collection in support of Iranian state interests.
Should the authentication to an account be successful, the threat actor has been observed using a combination of publicly available and custom tools for discovery, persistence, and lateral movement, followed by data exfiltration in limited cases.
Peach Sandstorm, also known by the names APT33, Elfin, and Refined Kitten, has been linked to spear-phishing attacks against aerospace and energy sectors in the past, some of which have entailed the use of the SHAPESHIFT wiper malware. It's said to be active since at least 2013.
"In the initial phase of this campaign, Peach Sandstorm conducted password spray campaigns against thousands of organizations across several sectors and geographies," the Microsoft Threat Intelligence team said, noting some of the activity is opportunistic.
Password spraying refers to a technique wherein a malicious actor attempts to authenticate to many different accounts using a single password or a list of commonly-used passwords. It's different from brute-force attacks in which a single account is targeted with many credential combinations.
"Activity observed in this campaign aligned with an Iranian pattern of life, particularly in late May and June, where activity occurred almost exclusively between 9:00 AM and 5:00 PM Iran Standard Time (IRST)," Microsoft further added.
Intrusions are characterized by the use of open-source red team tools such as AzureHound, a Golang binary to conduct reconnaissance, and ROADtools to access data in a target's cloud environment. Furthermore, the attacks have been observed using Azure Arc to establish persistence by connecting to an Azure subscription controlled by the threat actor.
Alternate attack chains mounted by Peach Sandstorm have entailed the exploitation of security flaws in Atlassian Confluence (CVE-2022-26134) or Zoho ManageEngine (CVE-2022-47966) to gain initial access.
Some other notable aspects of the post-compromise activity concern the deployment of AnyDesk remote monitoring and management tool to maintain access, EagleRelay to tunnel traffic back to their infrastructure, and leveraging Golden SAML attack techniques for lateral movement.
"Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other organizations' environments," Microsoft said.
"As Peach Sandstorm increasingly develops and uses new capabilities, organizations must develop corresponding defenses to harden their attack surfaces and raise costs for these attacks."
