Unbelievable! Microsoft Uncovers Sinister Global Hacking Strategy: Is Your Password Secure?

Microsoft’s latest research reveals widespread assaults by Iranian nation-state actors on thousands of global organizations from February to July 2023.”

Peach Sandstorm cyberespionage |CyberWire

According to the tech giant, which is following the activity under the name Peach Sandstorm (previously Holmium), the adversary targeted organisations in the satellite, defence, and pharmaceutical sectors in order to possibly facilitate intelligence collection in favour of Iranian state purposes.

If an account is successfully authenticated, the threat actor has been observed employing a combination of publicly available and proprietary tools for detection, persistence, and lateral movement, followed by data exfiltration in rare situations.

What is Peach Sandstorm

Peach Sandstorm, also known as APT33, Elfin, and Refined Kitten, has previously been tied to spear-phishing assaults against the aerospace and energy sectors, some of which included the SHAPESHIFT wiper virus. It is claimed to have been operational since at least 2013.

“In the initial phase of this campaign, Peach Sandstorm conducted password spray campaigns against thousands of organisations across several sectors and geographies,” according to the Microsoft Threat Intelligence team, stressing that some of the activity is opportunistic.

What is Password spraying & How it works

Password spraying is a practise in which a malicious actor attempts to authenticate to several accounts using a single password or a list of frequently used passwords. It differs from brute-force attacks, which target a single account with several credential combinations.

How a Password Spraying Attack Works | Netwrix

“Activity observed in this campaign aligned with an Iranian pattern of life, particularly in late May and June, where activity occurred almost exclusively between 9:00 AM and 5:00 PM Iran Standard Time (IRST),” Microsoft went on to say.

The use of open-source red team tools such as AzureHound, a Golang binary for reconnaissance, and ROADtools to access data in a target’s cloud environment characterises intrusions. In addition, the attacks have been reported to use Azure Arc to build persistence by connecting to an Azure subscription controlled by the threat actor.

Peach Sandstorm’s other attack chains have included exploiting security holes in Atlassian Confluence (CVE-2022-26134) or Zoho ManageEngine (CVE-2022-47966) to get initial access.

Other interesting features of the post-compromise activity include the use of the AnyDesk remote monitoring and management tool to maintain access, the use of EagleRelay to tunnel traffic back to their infrastructure, and the use of Golden SAML attack tactics for lateral movement.

“Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other organisations’ environments,” Microsoft explained.

“As Peach Sandstorm develops and employs new capabilities, organisations must develop corresponding defences to harden their attack surfaces and increase the costs associated with these attacks.”

Read more: Unbelievable! Microsoft Uncovers Sinister Global Hacking Strategy: Is Your Password Secure?
  1. Facebook Business Accounts Hacked in NodeStealer Credential Harvesting Campaign
  2. Institutional-Grade Web3 Wallet: Secure NFTs and DeFi Investments | NetMantram
  3. GitHub Vulnerability Fixed: Thousands of Repositories Protected from Hijacking Threat
Next

2 thoughts on “Unbelievable! Microsoft Uncovers Sinister Global Hacking Strategy: Is Your Password Secure?”

Leave a Comment