Peach Sandstorm APT from Iran
Share this:
Researchers from Microsoft have spotted a global cyber-espionage campaign conducted by the Iranian nation-state actor known as Peach Sandstorm.
Active since the start of this year, the campaign used masses of password spray attacks between February and July to authenticate to thousands of environments and exfiltrate data, all in support of Iranian state interests.
Once the target was compromised, the APT group employed a combination of publicly available and custom tools for activities, including reconnaissance, persistence, and lateral movement.
The attackers, conducting the attacks from Tor IPs and utilizing a “go-http-client” user agent, conducted reconnaissance using tools such as AzureHound and Roadtools, exploiting Azure resources for persistence.
An additional attack method took the form of remote exploitation of vulnerable applications, whereby Peach Sandstorm attempted to exploit known remote code execution vulnerabilities in Zoho ManageEngine (CVE-2022-47966) and Atlas Confluence (CVE-2022-26134) to gain initial access.
Peach Sandstorm used a variety of tactics, during post compromise, such as deploying AnyDesk for remote monitoring and management, conducting Golden SAML attacks to bypass authentication, hijacking DLL search orders, and using custom tools such as EagleRelay for tunneling traffic.
The campaign is particularly concerning because Peach Sandstorm leveraged legitimate credentials validated through the password spray attacks to stealthily create new Azure subscriptions within target environments and used Azure Arc to maintain control over compromised networks.
To defend against Peach Sandstorm’s activities, Microsoft advised organizations to reset passwords, revoke session cookies, and strengthen multifactor authentication (MFA).
Microsoft recommends maintaining strong credential hygiene and monitor for identity-based risks.
Transitioning to passwordless authentication methods and securing endpoints with MFA can also mitigate risks, while safeguarding Active Directory FS servers is crucial to protect against Golden SAML attacks.
Indicators of Compromise
- 192.52.166[.]76
- 108.62.118[.]240
- 102.129.215[.]40
- 76.8.60[.]64
