A recent campaign by Iranian hackers has been very successful in using password spray attacks to breach high-value targets, according to a new report by Microsoft Threat Intelligence. “Peach Sandstorm” is an established nation state threat that appears to have upped its capabilities in 2023, and has a particular focus on defense organizations and satellites as well as pharmaceutical company research.
The group was highly active from February to July of this year in a sustained campaign, compromising thousands of targets during that time. Though they have a preference for password spray attacks, the Iranian hackers also scan for particular unpatched vulnerabilities and exploit them when found.
Iranian hackers interested in defense organizations, satellites, pharmaceuticals, and finance
Peach Sandstorm (APT33) is an established nation state threat that has been in operation since at least 2013, known to engage in the bulk of its activity during business hours in Iran. The Iranian hackers have generally focused on intelligence gathered from a variety of targets in the US, Europe and Middle East, with a special focus on stealing research materials of value. The report does not specify which nation’s defense organizations were targeted or compromised.
The group has always been a sophisticated threat, employing a variety of tactics and sometimes dwelling on target systems for months or years without detection. It is also not new to password spray attacks, having regularly employed them for at least several years, but appears to have enhanced both its capabilities and its volume of activity as of late.
While the Iranian hackers are ultimately after very high-value targets such as defense organizations, these password spray attacks number in the thousands as the group often attempts to first compromise service providers or vendors and then move downstream with whatever openings opportunistically become available.
Password spray attacks are the group’s most common approach by far, but it also hones in on certain documented internet-facing vulnerabilities. It has multiple exploits of CVE-2022-26134, a remote code execution issue with Confluence Server and Data Center, and CVE-2022-47966, which impacts an assortment of Zoho ManageEngine products.
Post-compromise the Iranian hackers use an assortment of methods to maintain access and quietly exfiltrate data. At times they have used AnyDesk, a legitimate remote management tool that may well be whitelisted by application controls. It has similarly used a legitimate VMWare executable in at least one attack, and frequently deploys a custom tool called “EagleRelay” to tunnel traffic. The group also often creates new Azure subscriptions (where available) as a means of expanding to other parts of the target environment.
Microsoft did not name specific defense organizations or other targets, but the Iranian hackers have been previously linked to the Shamoon malware campaign (which damaged systems at Saudi Aramco and RasGas Co among other targets in the Middle East). The group has also been tied to attacks on Italian oil services firm Saipem and attempts to breach Israel’s water systems in 2020.
Office 365 appears to be another favored target for the Iranian hackers, as Microsoft reports a sustained campaign against the service but only about 20 accounts compromised thus far.
Password spray attacks on the rise, particularly against enterprise cloud accounts
Password spray attacks, essentially a more refined “brute force” guessing attack that ups the odds of success by trying a likely password against many different user accounts, are one of the elements of cyber crime that saw a major spike during the Covid-19 pandemic period; the Microsoft Threat Intelligence team found that they had surged to account for a third of enterprise cloud account compromises by late 2020.
The basis in brute force guessing techniques might give the initial impression that this is a more amateur approach for less skilled cyber criminals, but in the right hands (and supported by a big botnet) these attacks can be highly effective. They rely primarily on at least one company employee using a simple or predictable password, or re-using credentials that were already seen in a leak. In addition to assorted teams of Iranian hackers, Russia’s state-backed threat groups have also been spotted using password spray attacks successfully in recent years.
The approach is interesting as password spray attacks are highly noticeable, something that defense organizations and similarly high-value targets stand a good chance of detecting. The problem is that they are not as likely to detect an attacker that has actually breached the perimeter once they have discovered valid credentials. Once inside, the Iranian hackers switch from “noisy” to “silent” in their approach.
Microsoft recommends that organizations implement its Azure Security Benchmark and follow all identity infrastructure best practice recommendations, conduct a credential hygiene review and enable Entra ID’s enhanced security features, and implement MFA if it is not already in place.
Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, adds: “Password spray attacks don’t work when users use unique, strong, passwords for every site and service (or multifactor authentication). Most sites and services don’t accept MFA, at least not yet. That’s why every user should use a good password manager. A password manager allows users to have unique, very strong passwords on every site and service without having to remember what those passwords are.”
