Iranian Hackers Attack Thousands of Organizations Using Password Spraying

Peach Sandstorm, an Iranian Hackers group that targets organizations globally, aligns with the following threat groups:-

  • APT33
  • Elfin
  • Refined Kitten

Besides this, in the following sectors, the Iranian group, Peach Sandstorm pursued its targets most in the past attacks:-

  • Aviation
  • Construction
  • Defense
  • Education
  • Energy
  • Financial services
  • Healthcare
  • Government
  • Satellite
  • Telecommunications

The cybersecurity researchers at Microsoft noted widespread password spray activity on thousands of organizations by Peach Sandstorm (aka HOLMIUM) since February 2023, suggesting intelligence gathering for Iranian state interests.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Technical Analysis

Peach Sandstorm used various tools for discovery, persistence, and lateral movement after successful authentication, even though it occasionally exfiltrates data.

In 2023, Peach Sandstorm employed varying tactics early on and evolved TTPs in later stages, including lateral movement and data exfiltration.

Intrusion chain (Source – Microsoft)

From February to July 2023, Peach Sandstorm launched a widespread password spray campaign, maximizing success by trying common passwords across numerous accounts.

Prolonged password spray campaigns reveal adversary behavior, with Peach Sandstorm’s recent unique traits, including TOR IPs and “go-http-client” user agent, aligning with an Iranian pattern, mainly between 9 AM to 5 PM IRST in late May and June.

After successful authentication, Peach Sandstorm utilized AzureHound for Microsoft Entra ID reconnaissance and Roadtools for data access and dumping in the cloud.

The dual-purpose features of AzureHound and Roadtools appeal to both defenders and adversaries, enabling data exploration and seamless dumping in a single database.

Besides this, for communication purposes, the Peach Sandstorm used various persistence methods, including creating Azure subscriptions and exploiting compromised resources.

Moreover, Peach Sandstorm also misused Azure Arc, installing it on compromised devices to control on-premises environments remotely.

In the case of Path 2, to access targets’ environments in Zoho ManageEngine and Confluence, the Peach Sandstorm tried leveraging the following public POC vulnerabilities:-

Peach Sandstorm’s interest in the satellite, defense, and certain pharmaceutical industries is still present in 2023. It starts with password spraying across numerous businesses, maybe including opportunistic targets.

Mitigations

Here below, we have mentioned all the mitigations provided by the security analysts at Microsoft:-

  • Make sure to change the passwords for targeted accounts after password spray attacks.
  • Ensure to revoke the session cookies.
  • Follow Azure Security Benchmark and identity security best practices.
  • Enhance account security through credential hygiene.
  • Enable continuous MFA for all accounts, prioritizing privileged ones, to counter password spray attacks.
  • Switch to passwordless authentication methods like Azure MFA, certificates, or Windows Hello for Business.
  • Make sure to harden the security of RDP and Windows Virtual Desktop with MFA to prevent password attacks.

IOCs

IOCs (Source – Microsoft)

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

1 day ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

1 day ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

1 day ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

1 day ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

3 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

3 days ago