Sunday, June 15, 2025
HomeCyber Security NewsIranian Hackers Attack Thousands of Organizations Using Password Spraying

Iranian Hackers Attack Thousands of Organizations Using Password Spraying

Published on

SIEM as a Service

Follow Us on Google News

Peach Sandstorm, an Iranian Hackers group that targets organizations globally, aligns with the following threat groups:-

  • APT33
  • Elfin
  • Refined Kitten

Besides this, in the following sectors, the Iranian group, Peach Sandstorm pursued its targets most in the past attacks:-

  • Aviation
  • Construction
  • Defense
  • Education
  • Energy
  • Financial services
  • Healthcare
  • Government
  • Satellite
  • Telecommunications

The cybersecurity researchers at Microsoft noted widespread password spray activity on thousands of organizations by Peach Sandstorm (aka HOLMIUM) since February 2023, suggesting intelligence gathering for Iranian state interests.

- Advertisement - Google News
Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Technical Analysis

Peach Sandstorm used various tools for discovery, persistence, and lateral movement after successful authentication, even though it occasionally exfiltrates data.

In 2023, Peach Sandstorm employed varying tactics early on and evolved TTPs in later stages, including lateral movement and data exfiltration.

Intrusion chain (Source – Microsoft)

From February to July 2023, Peach Sandstorm launched a widespread password spray campaign, maximizing success by trying common passwords across numerous accounts.

Prolonged password spray campaigns reveal adversary behavior, with Peach Sandstorm’s recent unique traits, including TOR IPs and “go-http-client” user agent, aligning with an Iranian pattern, mainly between 9 AM to 5 PM IRST in late May and June.

After successful authentication, Peach Sandstorm utilized AzureHound for Microsoft Entra ID reconnaissance and Roadtools for data access and dumping in the cloud.

The dual-purpose features of AzureHound and Roadtools appeal to both defenders and adversaries, enabling data exploration and seamless dumping in a single database.

Besides this, for communication purposes, the Peach Sandstorm used various persistence methods, including creating Azure subscriptions and exploiting compromised resources.

Moreover, Peach Sandstorm also misused Azure Arc, installing it on compromised devices to control on-premises environments remotely.

In the case of Path 2, to access targets’ environments in Zoho ManageEngine and Confluence, the Peach Sandstorm tried leveraging the following public POC vulnerabilities:-

Peach Sandstorm’s interest in the satellite, defense, and certain pharmaceutical industries is still present in 2023. It starts with password spraying across numerous businesses, maybe including opportunistic targets.

Mitigations

Here below, we have mentioned all the mitigations provided by the security analysts at Microsoft:-

  • Make sure to change the passwords for targeted accounts after password spray attacks.
  • Ensure to revoke the session cookies.
  • Follow Azure Security Benchmark and identity security best practices.
  • Enhance account security through credential hygiene.
  • Enable continuous MFA for all accounts, prioritizing privileged ones, to counter password spray attacks.
  • Switch to passwordless authentication methods like Azure MFA, certificates, or Windows Hello for Business.
  • Make sure to harden the security of RDP and Windows Virtual Desktop with MFA to prevent password attacks.

IOCs

IOCs (Source – Microsoft)

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...