Iranian Hackers Infiltrate Defense Organizations Through Password Spray Attacks

Microsoft has uncovered a series of password spray attacks carried out by an Iranian-backed threat group targeting thousands of organizations worldwide, with a particular focus on the U.S. The attacks have been ongoing since February 2023 and have had severe implications for security, especially within the defense, satellite, and pharmaceutical sectors.

The malicious actors behind these attacks are affiliated with APT33, also known as Peach Sandstorm, HOLMIUM, or Refined Kitten, and have been active since at least 2013. Their targets have spanned various industries, including government, defense, research, finance, and engineering, with victims in the United States, Saudi Arabia, and South Korea.

Between February and July 2023, Peach Sandstorm conducted a relentless wave of password spray attacks, attempting to authenticate into numerous environments. This approach involves trying to gain access to multiple accounts using a single password or a list of commonly used passwords, distinguishing it from brute force attacks, which target a single account with an extensive list of passwords. Password spraying allows attackers to increase their chances of success while avoiding automatic account lockouts.

In addition to password spraying, the attackers leveraged vulnerabilities in unpatched Confluence and ManageEngine appliances exposed online to compromise their targets’ networks. Once successful, APT33 hackers utilized open-source security frameworks like AzureHound and Roadtools for reconnaissance within victims’ Azure Active Directory and data extraction from their cloud environments.

They also exploited Azure credentials, established new Azure subscriptions on victims’ tenants, and manipulated Azure Arc for persistent control over on-premises devices within the victims’ network.

The attackers employed various tactics, such as the Golden SAML attack method for lateral movement, the use of AnyDesk for persistence, sideloading custom malicious DLLs to execute harmful payloads, and the utilization of a tunneling tool named EagleRelay to direct malicious traffic to their command-and-control (C2) infrastructure.

Microsoft suggests that these initial access campaigns likely aim to facilitate intelligence collection in support of Iranian state interests, based on the profile of targeted organizations and observed follow-on intrusion activities.

Notably, the cloud-based tactics, techniques, and procedures (TTPs) utilized in these recent campaigns demonstrate a significant advancement in sophistication compared to previous activities associated with Peach Sandstorm.

It’s important to note that password spray attacks remain a prevalent authentication attack vector, as they accounted for over a third of enterprise account compromises. This latest revelation echoes the urgency of safeguarding against such attacks, with past incidents involving APT28 and other state-sponsored groups targeting government and defense entities using similar tactics.

In summary, these recent cyber-attacks underscore the ongoing threats faced by organizations and the need for robust cybersecurity measures to defend against increasingly sophisticated and persistent adversaries.