Peach Sandstorm, an Iranian Hackers group that targets organizations globally, aligns with the following threat groups:-
- APT33
- Elfin
- Refined Kitten
Besides this, in the following sectors, the Iranian group, Peach Sandstorm pursued its targets most in the past attacks:-
- Aviation
- Construction
- Defense
- Education
- Energy
- Financial services
- Healthcare
- Government
- Satellite
- Telecommunications
The cybersecurity researchers at Microsoft noted widespread password spray activity on thousands of organizations by Peach Sandstorm (aka HOLMIUM) since February 2023, suggesting intelligence gathering for Iranian state interests.
Deploy Advanced AI-Powered Email Security Solution
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Technical Analysis
Peach Sandstorm used various tools for discovery, persistence, and lateral movement after successful authentication, even though it occasionally exfiltrates data.
In 2023, Peach Sandstorm employed varying tactics early on and evolved TTPs in later stages, including lateral movement and data exfiltration.
From February to July 2023, Peach Sandstorm launched a widespread password spray campaign, maximizing success by trying common passwords across numerous accounts.
Prolonged password spray campaigns reveal adversary behavior, with Peach Sandstorm’s recent unique traits, including TOR IPs and “go-http-client” user agent, aligning with an Iranian pattern, mainly between 9 AM to 5 PM IRST in late May and June.
After successful authentication, Peach Sandstorm utilized AzureHound for Microsoft Entra ID reconnaissance and Roadtools for data access and dumping in the cloud.
The dual-purpose features of AzureHound and Roadtools appeal to both defenders and adversaries, enabling data exploration and seamless dumping in a single database.
Besides this, for communication purposes, the Peach Sandstorm used various persistence methods, including creating Azure subscriptions and exploiting compromised resources.
Moreover, Peach Sandstorm also misused Azure Arc, installing it on compromised devices to control on-premises environments remotely.
In the case of Path 2, to access targets’ environments in Zoho ManageEngine and Confluence, the Peach Sandstorm tried leveraging the following public POC vulnerabilities:-
Peach Sandstorm’s interest in the satellite, defense, and certain pharmaceutical industries is still present in 2023. It starts with password spraying across numerous businesses, maybe including opportunistic targets.
Mitigations
Here below, we have mentioned all the mitigations provided by the security analysts at Microsoft:-
- Make sure to change the passwords for targeted accounts after password spray attacks.
- Ensure to revoke the session cookies.
- Follow Azure Security Benchmark and identity security best practices.
- Enhance account security through credential hygiene.
- Enable continuous MFA for all accounts, prioritizing privileged ones, to counter password spray attacks.
- Switch to passwordless authentication methods like Azure MFA, certificates, or Windows Hello for Business.
- Make sure to harden the security of RDP and Windows Virtual Desktop with MFA to prevent password attacks.
IOCs
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
