A global cyber-espionage campaign conducted by the Iranian nation-state actor known as Peach Sandstorm (aka Holmium) has successfully plucked targets in the satellite, defense, and pharmaceutical sectors, Microsoft is warning.
The cyber offensive has been active since February, according to a blog post from Microsoft Threat Intelligence, which concluded that the campaign used masses of password spray attacks between February and July to authenticate to thousands of environments and exfiltrate data, all in support of Iranian state interests.
The password spray method of attack is a type of brute-force method used by hackers to gain unauthorized access to user accounts and systems. Password spraying involves attempting to access multiple accounts using common passwords, reducing the risk of account lockouts.
A Stealthy Cyber-Espionage Campaign From Iran
Once a target was compromised, the advanced persistent threat (APT) employed a combination of publicly available and custom tools for activities including reconnaissance, persistence, and lateral movement.
"Many of the cloud-based tactics, techniques, and procedures (TTPs) seen in these most recent campaigns are materially more sophisticated than capabilities used by Peach Sandstorm in the past," the report explained.
The attackers, conducting the attacks from Tor IPs and utilizing a "go-http-client" user agent, conducted reconnaissance using tools such as AzureHound and Roadtools, exploiting Azure resources for persistence.
"In later stages of known compromises, the threat actor used different combinations from a set of known TTPs to drop additional tools, move laterally, and ultimately exfiltrate data from a target," the report continued.
An additional attack method took the form of remote exploitation of vulnerable applications, whereby Peach Sandstorm attempted to exploit known remote code execution (RCE) vulnerabilities in Zoho ManageEngine (CVE-2022-47966) and Atlas Confluence (CVE-2022-26134) to gain initial access. Both bugs are popular with APTs of all stripes.
In post-compromise activity, Peach Sandstorm used a variety of tactics, such as deploying AnyDesk for remote monitoring and management, conducting Golden SAML attacks to bypass authentication, hijacking DLL search orders, and using custom tools such as EagleRelay for tunneling traffic.
The report added that the campaign is particularly concerning because Peach Sandstorm leveraged legitimate credentials validated through the password spray attacks to stealthily create new Azure subscriptions within target environments and used Azure Arc to maintain control over compromised networks.
Resetting Passwords, Revoking Sessions Cookies in Defense
"As Peach Sandstorm increasingly develops and uses new capabilities, organizations must develop corresponding defenses to harden their attack surfaces and raise costs for these attacks," the report noted.
To defend against Peach Sandstorm's activities, Microsoft advised organizations to reset passwords, revoke session cookies, and strengthen multifactor authentication (MFA).
The company also recommended maintaining strong credential hygiene and monitor for identity-based risks.
Transitioning to passwordless authentication methods and securing endpoints with MFA can also mitigate risks, while safeguarding Active Directory FS servers is crucial to protect against Golden SAML attacks.
Roger Grimes, data-driven defense evangelist at KnowBe4, explains password spray attacks don't work when users use unique, strong, passwords for every site and service, or multifactor authentication.
But "most sites and services don't accept MFA, at least not yet," he adds. "That's why every user should use a good password manager."
Iranian Actors Are a Persistent Threat
Iranian threat actors are combining offensive network ops with messaging and amplification to manipulate targets' perceptions and behavior, according to the US Department of the Treasury's Office of Foreign Assets Control (OFAC), which has moved to sanction the Iranian government for its cybercrime activities.
Last week, US Cyber Command revealed that Iranian state-sponsored threat actors had exploited a US aeronautical organization, again using the ManageEngine flaw.
In June, it was discovered that the APT35 group (aka Charming Kitten) has added backdoor capabilities to their spear-phishing payloads — and targeted an Israeli reporter with it.
A recent attack by a threat group calling itself Holy Souls in which the group accessed a database belonging to satirical French magazine Charlie Hebdo and threatened to dox more than 200,000 subscribers, was the work of Iranian state-actor Neptunium, Microsoft announced in February.