Microsoft exposes hacking campaign by Iran state-sponsored hackers targeting multiple sectors
New findings from Microsoft have revealed that Iranian state-backed actors have been actively engaged in password spray attacks targeting numerous organizations worldwide from February to July 2023.
The activity, tracked by Microsoft under the moniker Peach Sandstorm (formerly, Holmium), primarily targeted entities in the satellite, defense, and pharmaceutical sectors. The motive behind these attacks appears to be the gathering of intelligence in support of Iranian state interests.
In cases where the authentication to an account bore fruit, the threat actors would then employ a combination of publicly available and customized tools for reconnaissance and to establish persistence, lateral movement within the compromised networks. In some instances, data exfiltration occurred.
Peach Sandstorm has a history of spear-phishing attacks, particularly against the aerospace and energy sectors. Some of these attacks have involved the deployment of the SHAPESHIFT wiper malware. The group has been active since at least 2013.
The initial phase of this campaign by Peach Sandstorm involved password spray campaigns directed at thousands of organizations across various sectors and geographic regions. This activity is noted to be somewhat opportunistic. Password spraying differs from brute-force attacks in that it involves trying to authenticate multiple accounts with a single password or a list of commonly used passwords.
The Peach Sandstorm intrusions often utilized open-source red team tools, including AzureHound for reconnaissance and ROADtools for accessing data within a target's cloud environment. Additionally, the attackers leveraged Azure Arc to establish persistence by connecting to an Azure subscription controlled by the threat actor.
Peach Sandstorm has also been known to exploit security vulnerabilities, such as Atlassian Confluence (CVE-2022-26134) and Zoho ManageEngine (CVE-2022-47966), as initial entry points.
In the post-compromise phases, the attackers utilized AnyDesk as a remote monitoring and management tool. It maintained access, employed EagleRelay to tunnel traffic to its infrastructure, and made use of Golden SAML attack techniques for lateral movement.
Microsoft's report highlights that Peach Sandstorm has gone as far as creating new Azure subscriptions to expand their attacks into other organizations' environments. As the group continues to evolve and develop new capabilities, organizations are urged to bolster their defenses to fortify their attack surfaces and increase the costs associated with these attacks.