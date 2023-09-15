An Iranian state-operated cyberespionage group has launched password spray attacks against thousands of organizations this year in an attempt to establish persistence into their environments, move laterally, and collect useful intelligence. The targeted organizations were primarily from the satellite, defense, and pharmaceuticals sectors and spanned different geographies.\n\nMicrosoft tracks the group as Peach Sandstorm, but it is also known in the industry as HOLMIUM, Elfin, and APT33. The group is believed to have ties to and serve the interests of the Iranian government based on past target selection and the type of collected data.\n\n"A subset of Peach Sandstorm\u2019s 2023 post-compromise activity has been stealthy and sophisticated," Microsoft said in a report about the attack campaign that took place between February and July. "Many of the cloud-based tactics, techniques, and procedures (TTPs) seen in these most recent campaigns are materially more sophisticated than capabilities used by Peach Sandstorm in the past."\n\nPassword spraying is a favorite attack vector\n\nPeach Sandstorm has used password spraying for a long time to gain access to targets, not just this year. Unlike brute-force password guessing attacks where a large number of password combinations are tested for a single account, password spraying targets multiple accounts with one or a small subset of commonly used passwords.\n\nPassword spraying is a noisy attack that leaves traces in logs and can trigger defense mechanisms, which is why it's not the only initial access vector employed by Peach Sandstorm. A subset of victims was targeted with exploits for remote code execution flaws in Zoho ManageEngine products and Confluence (CVE-2022-47966 and CVE-2022-26134).\n\nEvidence suggests that much of the targeting for password spraying was opportunistic, with the attackers targeting thousands of accounts and organizations in the hope to break into as many as possible and then triage the victims. The attacks always happened between 9 am and 5 pm Iran Standard Time and were launched from Tor IP addresses with a browser user agent called \u201cgo-http-client."\n\nFor a subset of compromised accounts, the attackers used AzureHound and ROADtools, two open-source frameworks that can be used to conduct reconnaissance in Microsoft Entra ID (formerly Azure Active Directory) environments by interacting with the Microsoft Graph and REST APIs with the goal of exfiltrating data of interest from a victim's cloud account.\n\n"AzureHound and Roadtools have functionality that is used by defenders, red teams, and adversaries," Microsoft said in its report. "The same features that make these tools useful to legitimate users, like pre-built capabilities to explore and seamlessly dump data in a single database, also make these tools attractive options for adversaries seeking information about or from a target\u2019s environment."\n\nTo achieve persistence, the attackers set up new Azure subscriptions on victims' tenants, which were used to establish command-and-control communication with infrastructure operated by the group. They also installed the Azure Arc client on devices in compromised environments and connected it to an Azure subscription they controlled, giving them remote control capabilities over those devices. Azure Arc is a capability that allows the remote management of Windows and Linux systems in an Azure AD environment.\n\nOther post-compromise tools and techniques\n\nAfter achieving persistence, the Peach Sandstorm attackers deployed a variety of publicly available and custom tools, including AnyDesk, a commercial remote monitoring and management (RMM) tool, and EagleRelay, a custom traffic tunneling tool that the attackers deployed on newly created virtual machines in victim environments.\n\nOther techniques employed by the group include abuse of the remote desktop protocol (RDP), executing malicious code by performing DLL hijacking with a legitimate VMWare executable and launching a Golden SAML attack.\n\n"In a Golden SAML attack, an adversary steals private keys from a target\u2019s on-premises Active Directory Federated Services (AD FS) server and uses the stolen keys to mint a SAML token trusted by a target\u2019s Microsoft 365 environment," Microsoft said. "If successful, a threat actor could bypass AD FS authentication and access federated services as any user."\n\nMicrosoft recommends treating AD FS servers as Tier 0 assets because their compromise can give attackers total control of authentication to Microsoft Entra ID tenants and other configured relaying parties.\n\nHow to mitigate password spray attacks\n\nThe company also recommends resetting account passwords and resetting session cookies for any accounts targeted by a password spray attack, as well as performing additional investigations if the targeted accounts have system-level permissions. The accounts' multifactor authentication (MFA) setting should also be reviewed, and any changes made by the attackers should be revoked.\n\nAdditional advice given by Microsoft includes: