Friday, April 19, 2024

Iranian Hackers Attack Thousands of Organizations Using Password Spraying

Peach Sandstorm, an Iranian Hackers group that targets organizations globally, aligns with the following threat groups:-

  • APT33
  • Elfin
  • Refined Kitten

Besides this, in the following sectors, the Iranian group, Peach Sandstorm pursued its targets most in the past attacks:-

  • Aviation
  • Construction
  • Defense
  • Education
  • Energy
  • Financial services
  • Healthcare
  • Government
  • Satellite
  • Telecommunications

The cybersecurity researchers at Microsoft noted widespread password spray activity on thousands of organizations by Peach Sandstorm (aka HOLMIUM) since February 2023, suggesting intelligence gathering for Iranian state interests.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Technical Analysis

Peach Sandstorm used various tools for discovery, persistence, and lateral movement after successful authentication, even though it occasionally exfiltrates data.

In 2023, Peach Sandstorm employed varying tactics early on and evolved TTPs in later stages, including lateral movement and data exfiltration.

Intrusion chain (Source – Microsoft)

From February to July 2023, Peach Sandstorm launched a widespread password spray campaign, maximizing success by trying common passwords across numerous accounts.

Prolonged password spray campaigns reveal adversary behavior, with Peach Sandstorm’s recent unique traits, including TOR IPs and “go-http-client” user agent, aligning with an Iranian pattern, mainly between 9 AM to 5 PM IRST in late May and June.

After successful authentication, Peach Sandstorm utilized AzureHound for Microsoft Entra ID reconnaissance and Roadtools for data access and dumping in the cloud.

The dual-purpose features of AzureHound and Roadtools appeal to both defenders and adversaries, enabling data exploration and seamless dumping in a single database.

Besides this, for communication purposes, the Peach Sandstorm used various persistence methods, including creating Azure subscriptions and exploiting compromised resources.

Moreover, Peach Sandstorm also misused Azure Arc, installing it on compromised devices to control on-premises environments remotely.

In the case of Path 2, to access targets’ environments in Zoho ManageEngine and Confluence, the Peach Sandstorm tried leveraging the following public POC vulnerabilities:-

Peach Sandstorm’s interest in the satellite, defense, and certain pharmaceutical industries is still present in 2023. It starts with password spraying across numerous businesses, maybe including opportunistic targets.


Here below, we have mentioned all the mitigations provided by the security analysts at Microsoft:-

  • Make sure to change the passwords for targeted accounts after password spray attacks.
  • Ensure to revoke the session cookies.
  • Follow Azure Security Benchmark and identity security best practices.
  • Enhance account security through credential hygiene.
  • Enable continuous MFA for all accounts, prioritizing privileged ones, to counter password spray attacks.
  • Switch to passwordless authentication methods like Azure MFA, certificates, or Windows Hello for Business.
  • Make sure to harden the security of RDP and Windows Virtual Desktop with MFA to prevent password attacks.


IOCs (Source – Microsoft)

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


Latest articles

Alert! Windows LPE Zero-day Exploit Advertised on Hacker Forums

A new zero-day Local Privilege Escalation (LPE) exploit has been put up for sale...

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles