Microsoft Unleashes Defense Against the ‘Peach Sandstorm’ Cyberattacks

A Global Cyber-Espionage Campaign Conducted by Iranian Actor Peach Sandstorm

Campaign Overview

A recent blog post from Microsoft Threat Intelligence has flagged a global cyber-espionage campaign conducted by the Iranian nation-state actor, known as Peach Sandstorm or Holmium. This campaign, active since February, has targeted various sectors including satellite, defense, and pharmaceutical industries. The objective of this operation is to gather sensitive data in support of Iranian state interests.

Password Spray Attacks

The campaign primarily employed a technique known as password spray attacks from February to July. This method involves attempting to gain unauthorized access to user accounts and systems by trying common passwords across multiple accounts. By using common passwords, the attackers reduce the risk of account lockouts. This tactic allowed the threat actors to compromise thousands of environments and exfiltrate significant amounts of data.

Tactics and Tools

Once a target was compromised, the attackers utilized a combination of publicly available and custom tools for various activities, including reconnaissance, persistence, and lateral movement. The tactics deployed by Peach Sandstorm demonstrate increased sophistication compared to their previous campaigns. The advanced persistent threat (APT) leveraged cloud-based tactics and techniques, such as using tools like AzureHound and Roadtools for reconnaissance and exploiting Azure resources for persistence.

Exploiting Vulnerabilities

Peach Sandstorm also attempted to exploit known vulnerabilities in applications like Zoho ManageEngine (CVE-2022-47966) and Atlas Confluence (CVE-2022-26134) to gain initial access. These vulnerabilities are popular among APT groups, allowing them to remotely execute code and infiltrate target systems. In post-compromise activities, the threat actors employed tactics like remote monitoring and management with AnyDesk, Golden SAML attacks to bypass authentication, hijacking DLL search orders, and tunneling traffic with custom tools like EagleRelay.

Concerns and Azure Subscriptions

The campaign is especially concerning because Peach Sandstorm capitalized on legitimate credentials obtained through password spray attacks to create new Azure subscriptions within target environments. This enabled the threat actors to maintain control over compromised networks using Azure Arc. This level of stealth and persistence raises concerns about defending against such attacks.

Defense Measures

Microsoft emphasizes the importance of developing robust defenses to counter the evolving capabilities of Peach Sandstorm. The company provides several recommendations to organizations:

Password and Credential Hygiene

Resetting passwords should be a priority for organizations to mitigate the risk of compromised accounts. Additionally, revoking session cookies, strengthening multifactor authentication (MFA), and maintaining strong credential hygiene are crucial steps to safeguard against such attacks.

Transition to Passwordless Authentication

Transitioning to passwordless authentication methods can mitigate the risk posed by password spray attacks. By eliminating passwords and utilizing MFA, organizations can significantly enhance their security posture.

Safeguarding Active Directory

Protecting Active Directory FS servers is essential to prevent Golden SAML attacks commonly employed by APT groups like Peach Sandstorm. Organizations should implement robust security measures to fortify their Active Directory infrastructure.

Implications and the Iranian Threat Landscape

The cyber-espionage campaign conducted by Peach Sandstorm reinforces the persistent and evolving threat posed by Iranian state-sponsored actors. These actors combine offensive network operations with messaging and amplification techniques to manipulate targets’ perceptions and behavior. The US Department of the Treasury has previously sanctioned the Iranian government for their cybercrime activities. Recent incidents involving Iranian actors include exploiting vulnerabilities in a US aeronautical organization and adding backdoor capabilities to spear-phishing payloads targeting an Israeli reporter. In February, Microsoft also attributed an attack on Charlie Hebdo’s database to an Iranian state actor known as Neptunium.

Protecting Against the Iranian Threat

Organizations must remain vigilant in the face of threats from Iranian actors. Implementing strong security measures, such as unique and strong passwords for every site and service, multifactor authentication, and the use of password managers, can significantly mitigate the risk of successful attacks. Additionally, staying updated on potential vulnerabilities and patching software promptly is critical to safeguard against known exploits.

International Cooperation

Given the global nature of cyber threats, international cooperation is essential in combating malicious activities conducted by state-sponsored actors. Governments, cybersecurity organizations, and private sector entities should work together to share threat intelligence, develop stronger defenses, and hold perpetrators accountable.

Evaluating Long-Term Strategies

As the threat landscape continues to evolve, organizations should consider adopting long-term strategies, including investing in advanced threat detection and prevention technologies, conducting regular security audits, and prioritizing employee cybersecurity training. A proactive and comprehensive approach to cybersecurity is vital in mitigating the impact of cyber-espionage campaigns conducted by advanced actors like Peach Sandstorm.

Overall, the Iranian cyber-espionage campaign serves as a reminder of the persistent cyber threats faced by organizations globally. The incidents highlight the need for continuous vigilance, robust defense measures, international collaboration, and proactive measures to protect against the evolving tactics and techniques employed by state-sponsored threat actors.