Peach Sandstorm: the persistent threat of iranian state actors

Microsoft recently issued a warning regarding a global cyber-espionage campaign led by an Iranian state actor known as Peach Sandstorm, or Holmium. The campaign has been successful in targeting sectors such as defense, pharmaceuticals and the space industry. According to Microsoft's Threat Intelligence team, this cyber offensive has been active since February and is based on a series of password spray attacks, through which attempts are made to authenticate in thousands of environments in order to exfiltrate data to support state interests Iranian.

Attack methods and APT activities

The password spray attack is a form of brute-force attack used by cybercriminals to gain unauthorized access to user accounts and systems. The Peach Sandstorm APT used a combination of publicly available and customized tools to conduct various tasks, including reconnaissance, persistence and lateral movement. The campaign demonstrated more sophisticated tactics, techniques and procedures (TTPs) than Peach Sandstorm has used in the past, with attacks conducted from Tor IP addresses and the use of a “go-http-client” user agent. The threat actor leveraged tools like AzureHound and Roadtools for reconnaissance, leveraging Azure resources to ensure persistence.

Additional attack methods and recommended countermeasures

In addition to password spray attacks, Peach Sandstorm attempted to exploit known remote code execution (RCE) vulnerabilities in applications such as Zoho ManageEngine and Atlas Confluence to gain initial access to systems. After compromising a target, the threat actor used various tactics, including using AnyDesk for remote monitoring and management, Golden SAML attacks to bypass authentication, and custom tools such as EagleRelay for traffic routing. Microsoft advised organizations to strengthen their defenses, reset passwords, revoke session cookies and implement multi-factor authentication (MFA). Additionally, it is critical to maintain strong credential hygiene and monitor identity risks.

Persistent threats from iranian actors

According to the U.S. Department of the Treasury, Iranian threat actors are combining offensive network operations with message manipulation to influence the perception and behavior of targets. Recently, the US Cyber Command revealed that Iranian state-sponsored actors had exploited a vulnerability in ManageEngine to attack a US aviation organization. This is just one of many cases that demonstrate that Iranian threat actors are a worryingly persistent threat to cybersecurity. It is essential that organizations take appropriate security measures to defend against such attacks, including using passwordless authentication methods and protecting endpoints with multi-factor authentication.