Iranian Nation-State Actors Execute Password Spray Attacks on Global Scale

September 15, 2023

Microsoft has uncovered a series of password spray attacks conducted by Iranian nation-state actors, identified as Peach Sandstorm, across thousands of organizations globally from February to July 2023. These attacks have primarily targeted the satellite, defense, and pharmaceutical sectors, likely to gather intelligence for Iranian state interests.

In the event of successful account authentication, Peach Sandstorm has been seen using a mix of publicly accessible and unique tools for discovery, persistence, and lateral movement, with data exfiltration observed in some instances. The threat group, also referred to as APT33, Elfin, and Refined Kitten, has previously been associated with spear-phishing attacks against the aerospace and energy sectors, involving the use of the SHAPESHIFT wiper malware.

Microsoft's Threat Intelligence team noted that the initial phase of this campaign involved Peach Sandstorm conducting password spray campaigns against a multitude of organizations across various sectors and regions. Password spraying is a technique where a malicious actor attempts to authenticate to numerous accounts using a single password or a list of commonly used passwords, differing from brute-force attacks which target a single account with many credential combinations.

The activity observed in this campaign aligns with an Iranian pattern of life, particularly during late May and June, where activity took place almost exclusively between 9:00 AM and 5:00 PM Iran Standard Time (IRST), according to Microsoft. The intrusions are characterized by the use of open-source red team tools like AzureHound, a Golang binary for reconnaissance, and ROADtools for accessing data in a target's cloud environment. The threat actor has also been seen using Azure Arc to establish persistence by connecting to an Azure subscription they control.

Peach Sandstorm has also exploited security flaws in Atlassian Confluence (CVE-2022-26134) or Zoho ManageEngine (CVE-2022-47966) to gain initial access. Post-compromise activity includes the deployment of AnyDesk remote monitoring and management tool to maintain access, EagleRelay to tunnel traffic back to their infrastructure, and leveraging Golden SAML attack techniques for lateral movement. Peach Sandstorm has also created new Azure subscriptions, using the access these subscriptions provide to conduct additional attacks in other organizations' environments.

As Peach Sandstorm continues to develop and utilize new capabilities, organizations are urged to develop corresponding defenses to strengthen their attack surfaces and increase the costs of these attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.