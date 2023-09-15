An Iranian state-operated cyberespionage group has launched password spray attacks against thousands of organizations this year in an attempt to establish persistence into their environments, move laterally, and collect useful intelligence. The targeted organizations were primarily from the satellite, defense, and pharmaceuticals sectors and spanned different geographies.

Microsoft tracks the group as Peach Sandstorm, but it is also known in the industry as HOLMIUM, Elfin, and APT33. The group is believed to have ties to and serve the interests of the Iranian government based on past target selection and the type of collected data.

“A subset of Peach Sandstorm's 2023 post-compromise activity has been stealthy and sophisticated,” Microsoft said in a report about the attack campaign that took place between February and July. “Many of the cloud-based tactics, techniques, and procedures (TTPs) seen in these most recent campaigns are materially more sophisticated than capabilities used by Peach Sandstorm in the past.”

Password spraying is a favorite attack vector

Peach Sandstorm has used password spraying for a long time to gain access to targets, not just this year. Unlike brute-force password guessing attacks where a large number of password combinations are tested for a single account, password spraying targets multiple accounts with one or a small subset of commonly used passwords.

Password spraying is a noisy attack that leaves traces in logs and can trigger defense mechanisms, which is why it’s not the only initial access vector employed by Peach Sandstorm. A subset of victims was targeted with exploits for remote code execution flaws in Zoho ManageEngine products and Confluence (CVE-2022-47966 and CVE-2022-26134).

Evidence suggests that much of the targeting for password spraying was opportunistic, with the attackers targeting thousands of accounts and organizations in the hope to break into as many as possible and then triage the victims. The attacks always happened between 9 am and 5 pm Iran Standard Time and were launched from Tor IP addresses with a browser user agent called "go-http-client.”