Iran-Linked APT33/Peach Sandstorm Ongoing Password Spray Attacks Unveiled by Microsoft
Category: Threat Actor Activity | Industries: Defense, Pharmaceutical, Telecommunications | Source: Microsoft
Microsoft released a report detailing its monitoring of activities attributed to Peach Sandstorm (aka APT33, Elfin, and Refined Kitten), an Iranian nation-state threat actor, engaging in password spray attacks as their primary method of attack. These attacks have been ongoing and specifically aimed at sectors in as satellite, defense, and pharmaceuticals worldwide since February 2023. Their selection of targets is dialed from their previous victimology which included entities in aviation, construction, Education, energy, financial, government, and healthcare. Microsoft assesses this campaign's objective as to “support of Iranian state interests,” aimed to collect intelligence on organizations located in Israel, the United States, Brazil, and the United Arab Emirates.
Peach Sandstorm employs a combination of publicly available and custom tools for discovery, persistence, and lateral movement once successful authentication is achieved. The attack chain consists of password spraying, running reconnaissance tools like AzureHound and Roadtools (also capable of dumping data), and establishing persistence mechanisms, including the use of an Azure subscription or abusing other Azure resources like Azure Arc. The abuse of Azure resources enables the actors to establish communication with their own cloud infrastructure. Exploitation of public-facing applications is also within the threat actor's capabilities, as they have been observed exploiting vulnerabilities in Zoho ManageEngine with CVE-2022-47966 and Confluence with CVE-2022-26134 for initial access. Across various intrusions, several post-compromise activities also involved the use of AnyDesk for remote access, RDP for lateral movement, Golden SAML attacks with private key theft, DLL search order hijacking, and tunneling traffic with EagleRelay.
Their activities align with Iranian working hours, as supported by the attacker's pattern of activities. This alignment becomes particularly evident when observing password-spraying attacks carried out from TOR IPs and using the 'go-http-client' user agent. Microsoft's findings are in line with the "Iranian pattern of life, particularly in late May and June, where activity occurred almost exclusively between 9:00 AM and 5:00 PM Iran Standard Time (IRST)." Microsoft emphasizes concern over Peach Sandstorm's methodical approach, which includes obtaining access, persisting, and moving laterally within compromised environments.