- I can't recommend this rugged power station enough to drone users -- now with $340 off for Black Friday!
- Give your iPhone 16 thermal camera superpowers with this gadget
- This power station has an irreplaceable emergency feature (and now get $350 off for Black Friday)
- This ultra-thin power bank is a must-have travel gadget (grab it cheap in this Black Friday deal)
- The Jackery Explorer 1000 V2 is one of the best entry-level portable power stations (and it's now half price for Black Friday)
Iranian Threat Group Hits Thousands With Password Spray Campaign
An Iranian state-backed APT group carried out a “wave” of cyber-espionage attacks against thousands of global targets over a six-month period, Microsoft has revealed.
The group known as Peach Sandstorm (aka APT33, Elfin, and Refined Kitten) used password spraying techniques between February and July 2023. This is a brute-force technique where threat actors try to authenticate to multiple accounts with a list of commonly used passwords.
Microsoft claimed that, although these noisy campaigns hit thousands of organizations across several sectors and geographies, subsequent activity was more “stealthy and sophisticated.”
“Many of the cloud-based tactics, techniques, and procedures (TTPs) seen in these most recent campaigns are materially more sophisticated than capabilities used by Peach Sandstorm in the past,” it explained.
“In later stages of known compromises, the threat actor used different combinations from a set of known TTPs to drop additional tools, move laterally, and ultimately exfiltrate data from a target.”
Read more on Iranian threat groups: Iran Spear-Phishers Hijack Email Conversations in New Campaign
The report claimed that a small subset of compromised victims had data taken from their systems. It’s not clear what type of organizations these were, but APT33 has a particular interest in the satellite, defense and pharmaceutical sectors, Microsoft said.
The group used AzureHound and Roadtools to conduct reconnaissance in Microsoft Entra ID (formerly Azure Active Directory) environments and deployed multiple persistence mechanisms including the use of Azure Arc.
This tool allows users “to secure, develop, and operate infrastructure, applications, and Azure services anywhere, to persist in compromised environments,” Microsoft explained.
In some cases, the group eschewed password spraying in favor of vulnerability exploitation: specifically, remote code execution bugs in Zoho (CVE-2022-47966) and Confluence (CVE-2022-26134).
In some intrusions, APT33 deployed commercial remote monitoring and management tool AnyDesk to maintain access to a target.
The end goal was to steal intelligence aligned with Iranian state interests, Microsoft claimed.
“The capabilities observed in this campaign are concerning as Microsoft saw Peach Sandstorm use legitimate credentials (gleaned from password spray attacks) to authenticate to targets’ systems, persist in targets’ environments, and deploy a range of tools to carry out additional activity,” the report concluded.
“Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other organizations’ environments. While the specific effects in this campaign vary based on the threat actor’s decisions, even initial access could adversely impact the confidentiality of a given environment.”
