Peach Sandstorm, an Iranian Hackers group that targets organizations globally, aligns with the following threat groups:-
Besides this, in the following sectors, the Iranian group, Peach Sandstorm pursued its targets most in the past attacks:-
The cybersecurity researchers at Microsoft noted widespread password spray activity on thousands of organizations by Peach Sandstorm (aka HOLMIUM) since February 2023, suggesting intelligence gathering for Iranian state interests.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Peach Sandstorm used various tools for discovery, persistence, and lateral movement after successful authentication, even though it occasionally exfiltrates data.
In 2023, Peach Sandstorm employed varying tactics early on and evolved TTPs in later stages, including lateral movement and data exfiltration.
From February to July 2023, Peach Sandstorm launched a widespread password spray campaign, maximizing success by trying common passwords across numerous accounts.
Prolonged password spray campaigns reveal adversary behavior, with Peach Sandstorm’s recent unique traits, including TOR IPs and “go-http-client” user agent, aligning with an Iranian pattern, mainly between 9 AM to 5 PM IRST in late May and June.
After successful authentication, Peach Sandstorm utilized AzureHound for Microsoft Entra ID reconnaissance and Roadtools for data access and dumping in the cloud.
The dual-purpose features of AzureHound and Roadtools appeal to both defenders and adversaries, enabling data exploration and seamless dumping in a single database.
Besides this, for communication purposes, the Peach Sandstorm used various persistence methods, including creating Azure subscriptions and exploiting compromised resources.
Moreover, Peach Sandstorm also misused Azure Arc, installing it on compromised devices to control on-premises environments remotely.
In the case of Path 2, to access targets’ environments in Zoho ManageEngine and Confluence, the Peach Sandstorm tried leveraging the following public POC vulnerabilities:-
Peach Sandstorm’s interest in the satellite, defense, and certain pharmaceutical industries is still present in 2023. It starts with password spraying across numerous businesses, maybe including opportunistic targets.
Here below, we have mentioned all the mitigations provided by the security analysts at Microsoft:-
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…
Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…
The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…
A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…
Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…