A global cyber-espionage campaign has been conducted by an Iranian nation-state actor known as Peach Sandstorm, also known as Holmium, resulting in successful attacks on targets in the satellite, defense, and pharmaceutical sectors, according to a warning from Microsoft. The campaign, which began in February, used password spray attacks to authenticate to thousands of environments and extract data in support of Iranian state interests.
Password spraying is a type of brute-force attack where hackers attempt to gain unauthorized access to user accounts and systems by using common passwords, reducing the risk of account lockouts. Once a target was compromised, the attackers, known as an advanced persistent threat (APT), used a combination of publicly available and custom tools for activities such as reconnaissance, persistence, and lateral movement.
The recent campaign by Peach Sandstorm showed more sophisticated tactics, techniques, and procedures (TTPs) than in previous campaigns. The threat actors conducted reconnaissance using tools like AzureHound and Roadtools, exploiting Azure resources for persistence. They also used different combinations from a set of known TTPs to drop additional tools, move laterally, and exfiltrate data from targeted networks.
An additional attack method employed by Peach Sandstorm was remote exploitation of vulnerable applications. They attempted to exploit known remote code execution (RCE) vulnerabilities in Zoho ManageEngine and Atlas Confluence to gain initial access. Both vulnerabilities are popular among advanced persistent threats (APTs).
In post-compromise activity, Peach Sandstorm used various tactics such as deploying AnyDesk for remote monitoring and management, conducting Golden SAML attacks to bypass authentication, hijacking DLL search orders, and using custom tools like EagleRelay for tunneling traffic. The campaign raised concerns because Peach Sandstorm leveraged legitimate credentials obtained through password spray attacks to create new Azure subscriptions within target environments and maintain control over compromised networks using Azure Arc.
To defend against Peach Sandstorm’s activities, Microsoft advised organizations to reset passwords, revoke session cookies, and strengthen multifactor authentication (MFA). They also recommended maintaining strong credential hygiene and monitoring for identity-based risks. Transitioning to passwordless authentication methods, securing endpoints with MFA, and safeguarding Active Directory FS servers were also suggested as mitigation measures.
Roger Grimes, a data-driven defense evangelist, suggested that password spray attacks are ineffective when users employ unique, strong passwords for each site and service or use multifactor authentication. However, most sites and services do not currently accept multifactor authentication, making the use of a good password manager essential.
The Iranian government has been widely recognized as a persistent threat in the cyber landscape. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned the Iranian government for its cybercrime activities. US Cyber Command recently revealed that Iranian state-sponsored threat actors exploited a US aeronautical organization using the ManageEngine vulnerability. APT35, also known as Charming Kitten, has been implicated in spear-phishing attacks with added backdoor capabilities, targeting an Israeli reporter. Additionally, an Iranian state-actor called Neptunium was identified as the perpetrator behind an attack on satirical French magazine Charlie Hebdo, where a database belonging to the magazine was accessed, and the group threatened to dox over 200,000 subscribers.
The ongoing cyber-espionage campaign by Peach Sandstorm highlights the need for organizations to strengthen their security defenses and raise the costs for such attacks. As threat actors continue to evolve and develop new capabilities, organizations must adapt by utilizing tools like multifactor authentication, employing strong password management practices, and maintaining vigilant monitoring of identity-based risks. By implementing these measures, companies can better protect their systems and data from sophisticated cyber threats.