An Iranian state-backed attack group is targeting organizations in several industries, including satellite, defense, and government, with cloud-based password spraying attacks, aiming to gain access to target environments and in some cases steal sensitive data.
The group is referred to as Peach Sandstorm by Microsoft researchers who have been tracking its activities since the beginning of the year, and it has used a number of different tactics in its operations, which have targeted victims in several countries. In most cases, the group uses password spraying as its initial access vector, a technique that involves trying one or a list of passwords against a large number of target accounts. This isn’t the most sophisticated technique, but it can be effective given enough time and a large enough target set.
Peach Sandstorm has been active for many years and has been known to target companies across a wide range of industries, as well as government agencies. The group’s activities typically center on intelligence gathering and it has targeted organizations in many countries. Microsoft’s researchers have observed the group using a couple of different intrusion chains recently, the first of which begins with password spraying.
“In a small subset of instances where Peach Sandstorm successfully authenticated to an account in a targeted environment, Microsoft observed the threat actor using AzureHound or Roadtools to conduct reconnaissance in Microsoft Entra ID (formerly Azure Active Directory). In this campaign, Peach Sandstorm used AzureHound, a Go binary that collects data from Microsoft Entra ID and Azure Resource Manager through the Microsoft Graph and Azure REST APIs, as a means of gathering information on a system of interest. Similarly, Roadtools, a framework to access Microsoft Entra ID, allowed Peach Sandstorm to access data in a target’s cloud environment and conveniently dump data of interest to a single database,” Microsoft’s researchers said.
In these intrusions, the Peach Sandstorm attackers maintained persistence by either creating a new Azure subscription that they controlled or using a previously compromised Azure resource. In other operations, the attackers have shown the ability to exploit some known vulnerabilities, including bugs in the Zoho ManageEngine apps and the Confluence Server product. Once inside a target environment, the Peach Sandstorm attackers sometimes installed the AnyDesk RMM tool for remote access, while in other cases they used a custom tool called EagleRelay, hosted on a virtual machine they created in the environment, to tunnel traffic back to their C2 infrastructure.
“The capabilities observed in this campaign are concerning as Microsoft saw Peach Sandstorm use legitimate credentials (gleaned from password spray attacks) to authenticate to targets’ systems, persist in targets’ environments, and deploy a range of tools to carry out additional activity. Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other organizations’ environments,” Microsoft said.