An Iranian state-operated cyberespionage group has launched password spray attacks against thousands of organizations this year in an attempt to establish persistence into their environments, move laterally, and collect useful intelligence. The targeted organizations were primarily from the satellite, defense, and pharmaceuticals sectors and spanned different geographies.
Microsoft tracks the group as Peach Sandstorm, but it is also known in the industry as HOLMIUM, Elfin, and APT33. The group is believed to have ties to and serve the interests of the Iranian government based on past target selection and the type of collected data.
“A subset of Peach Sandstorm’s 2023 post-compromise activity has been stealthy and sophisticated,” Microsoft said in a report about the attack campaign that took place between February and July. “Many of the cloud-based tactics, techniques, and procedures (TTPs) seen in these most recent campaigns are materially more sophisticated than capabilities used by Peach Sandstorm in the past.”
Password spraying is a favorite attack vector
Peach Sandstorm has used password spraying for a long time to gain access to targets, not just this year. Unlike brute-force password guessing attacks where a large number of password combinations are tested for a single account, password spraying targets multiple accounts with one or a small subset of commonly used passwords.
Password spraying is a noisy attack that leaves traces in logs and can trigger defense mechanisms, which is why it’s not the only initial access vector employed by Peach Sandstorm. A subset of victims was targeted with exploits for remote code execution flaws in Zoho ManageEngine products and Confluence (CVE-2022-47966 and CVE-2022-26134).
Evidence suggests that much of the targeting for password spraying was opportunistic, with the attackers targeting thousands of accounts and organizations in the hope to break into as many as possible and then triage the victims. The attacks always happened between 9 am and 5 pm Iran Standard Time and were launched from Tor IP addresses with a browser user agent called “go-http-client.”
For a subset of compromised accounts, the attackers used AzureHound and ROADtools, two open-source frameworks that can be used to conduct reconnaissance in Microsoft Entra ID (formerly Azure Active Directory) environments by interacting with the Microsoft Graph and REST APIs with the goal of exfiltrating data of interest from a victim’s cloud account.
“AzureHound and Roadtools have functionality that is used by defenders, red teams, and adversaries,” Microsoft said in its report. “The same features that make these tools useful to legitimate users, like pre-built capabilities to explore and seamlessly dump data in a single database, also make these tools attractive options for adversaries seeking information about or from a target’s environment.”
To achieve persistence, the attackers set up new Azure subscriptions on victims’ tenants, which were used to establish command-and-control communication with infrastructure operated by the group. They also installed the Azure Arc client on devices in compromised environments and connected it to an Azure subscription they controlled, giving them remote control capabilities over those devices. Azure Arc is a capability that allows the remote management of Windows and Linux systems in an Azure AD environment.
Other post-compromise tools and techniques
After achieving persistence, the Peach Sandstorm attackers deployed a variety of publicly available and custom tools, including AnyDesk, a commercial remote monitoring and management (RMM) tool, and EagleRelay, a custom traffic tunneling tool that the attackers deployed on newly created virtual machines in victim environments.
Other techniques employed by the group include abuse of the remote desktop protocol (RDP), executing malicious code by performing DLL hijacking with a legitimate VMWare executable and launching a Golden SAML attack.
“In a Golden SAML attack, an adversary steals private keys from a target’s on-premises Active Directory Federated Services (AD FS) server and uses the stolen keys to mint a SAML token trusted by a target’s Microsoft 365 environment,” Microsoft said. “If successful, a threat actor could bypass AD FS authentication and access federated services as any user.”
Microsoft recommends treating AD FS servers as Tier 0 assets because their compromise can give attackers total control of authentication to Microsoft Entra ID tenants and other configured relaying parties.
How to mitigate password spray attacks
The company also recommends resetting account passwords and resetting session cookies for any accounts targeted by a password spray attack, as well as performing additional investigations if the targeted accounts have system-level permissions. The accounts’ multifactor authentication (MFA) setting should also be reviewed, and any changes made by the attackers should be revoked.
Additional advice given by Microsoft includes:
- Create conditional access policies to allow or disallow access to the environment based on defined criteria.
- Block legacy authentication with Microsoft Entra ID by using Conditional Access. Legacy authentication protocols don’t have the ability to enforce MFA, so blocking such authentication methods will prevent password spray attackers from taking advantage of the lack of MFA on those protocols.
- Enable AD FS web application proxy extranet lockout to protect users from potential password brute force compromise.
- Practice the principle of least privilege and audit privileged account activity in your Microsoft Entra ID environments to slow and stop attackers.
- Deploy Microsoft Entra ID Connect Health for Active Directory Federation Services (AD FS). This captures failed attempts as well as IP addresses recorded in AD FS logs for bad requests in the Risky IP report.
- Use Microsoft Entra ID password protection to detect and block known weak passwords and their variants.
- Turn on identity protection in Microsoft Entra ID to monitor for identity-based risks and create policies for risky sign-ins.
- Use MFA to mitigate successful password spray attacks. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
- Consider transitioning to a passwordless primary authentication method, such as Azure MFA, certificates, or Windows Hello for Business.
- Secure RDP or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.