Iranian Hackers Gain Sophistication, Microsoft WarnsNoisy 'Peach Sandstorm' Password Spraying Campaign Is Followed by Stealth
Iranian state threat actors are growing in sophistication, warned Microsoft in an alert over a campaign of password hacking targeting the satellite and defense sectors and, to a lesser extent, the pharmaceutical sectors=.
Between February and July, the Iranian government hacker group that Microsoft tracks as "Peach Sandstorm" carried out a wave of password spraying attacks against thousands of targets, the computing giant reported. Microsoft earlier tracked the group as Holmium, and it is also known as APT33 and Refined Kitten.
Password spraying is not a sophisticated technique. It's a variant of brute force attacks in which attackers attempt to guess a single account's password. The spraying involves entering the same password guess into a number of accounts in an attempt to avoid account lockout and bet that at least one user has a previously used password or one that is easy to guess.
Iranian state hackers have a reputation for leaning heavily on phishing, credential stuffing and other social engineering techniques as initial attack vectors. Although grouped together with other states that have aggressive cyber hacking operations, such as Russia and China, experts rank Iranian hackers as less effective than their counterparts. But newfound willingness in Tehran to attack Western infrastructure may be enhancing the state's hacking capabilities.
This year, the nation-state threat actor Microsoft tracks as Mint Sandstorm - also known as APT42 and Cobalt Illusion - turned around its time to exploit n-day vulnerabilities from weeks to days, or even hours, Microsoft reported earlier this year (see: Iranian State Hacker Aggression Escalates, Says Microsoft). And just days ago, U.S. Cyber Command warned that Iranian hackers have been exploiting flaws in firewalls and enterprise applications (see: Feds Urge Immediate Patching of Zoho and Fortinet Products).
Password spray operations "are noisy by definition," Microsoft wrote. But what Iranian hackers did after establishing persistence and lateral movement earned Microsoft's warning about the group's growing hacking acumen: "A subset of Peach Sandstorm's 2023 post-compromise activity has been stealthy and sophisticated." In a March 2023 intrusion, Iranian hackers executed a golden SAML attack, which uses security assertion markup language to fabricate an authentication token trusted by the target's entire Microsoft 365 environment to access federated services as any user.
In a handful of attacks, Iranian hackers created virtual machines to host a custom tool dubbed EagleRelay, which is used to tunnel malicious traffic. In another subset, attackers deployed AnyDesk - a commercial remote monitoring and management tool.
"The capabilities observed in this campaign are concerning," Microsoft said. "While the specific effects in this campaign vary based on the threat actor's decisions, even initial access could adversely impact the confidentiality of a given environment."