Iranian Nation-State Actors Execute Password Spray Attacks on Global Scale

September 15, 2023

Microsoft has uncovered a series of password spray attacks conducted by Iranian nation-state actors, identified as Peach Sandstorm, across thousands of organizations globally from February to July 2023. These attacks have primarily targeted the satellite, defense, and pharmaceutical sectors, likely to gather intelligence for Iranian state interests.

In the event of successful account authentication, Peach Sandstorm has been seen using a mix of publicly accessible and unique tools for discovery, persistence, and lateral movement, with data exfiltration observed in some instances. The threat group, also referred to as APT33, Elfin, and Refined Kitten, has previously been associated with spear-phishing attacks against the aerospace and energy sectors, involving the use of the SHAPESHIFT wiper malware.

Microsoft's Threat Intelligence team noted that the initial phase of this campaign involved Peach Sandstorm conducting password spray campaigns against a multitude of organizations across various sectors and regions. Password spraying is a technique where a malicious actor attempts to authenticate to numerous accounts using a single password or a list of commonly used passwords, differing from brute-force attacks which target a single account with many credential combinations.

The activity observed in this campaign aligns with an Iranian pattern of life, particularly during late May and June, where activity took place almost exclusively between 9:00 AM and 5:00 PM Iran Standard Time (IRST), according to Microsoft. The intrusions are characterized by the use of open-source red team tools like AzureHound, a Golang binary for reconnaissance, and ROADtools for accessing data in a target's cloud environment. The threat actor has also been seen using Azure Arc to establish persistence by connecting to an Azure subscription they control.

Peach Sandstorm has also exploited security flaws in Atlassian Confluence (CVE-2022-26134) or Zoho ManageEngine (CVE-2022-47966) to gain initial access. Post-compromise activity includes the deployment of AnyDesk remote monitoring and management tool to maintain access, EagleRelay to tunnel traffic back to their infrastructure, and leveraging Golden SAML attack techniques for lateral movement. Peach Sandstorm has also created new Azure subscriptions, using the access these subscriptions provide to conduct additional attacks in other organizations' environments.

As Peach Sandstorm continues to develop and utilize new capabilities, organizations are urged to develop corresponding defenses to strengthen their attack surfaces and increase the costs of these attacks.

Related News

• Iranian Hackers Exploit Zoho and Fortinet Vulnerabilities to Breach US Aviation Organization
• North Korean Lazarus Group Exploits ManageEngine Vulnerability to Launch Cyber Attacks
• Chinese APT 'Volt Typhoon' Exploits Zoho ManageEngine Vulnerability
• Microsoft Warns of Iranian Hackers Targeting US Critical Infrastructure
• Weaponizing of CVE-2022-47966 Vulnerability Detected

Latest News

• Proof-of-Concept Exploit Published for Windows 11 'ThemeBleed' RCE Bug
• MGM Under Fire for Repeated Cybersecurity Lapses: BlackCat Ransomware Gang Suspected
• Mozilla Fixes Critical Zero-Day Vulnerability in Firefox and Thunderbird
• Microsoft's September 2023 Patch Tuesday: 59 Flaws and 2 Zero-Days Addressed
• Critical Zero-Day Exploit Detected in Adobe Acrobat and Reader