Iranian Hackers Breach Defense Orgs in Password Spray Attacks

Cyber Security Threat Summary:
Since February 2023, Microsoft has reported that an Iranian-backed threat group known as APT33 (or Peach Sandstorm, HOLMIUM, Refined Kitten) has been conducting password spray attacks against thousands of organizations in the U.S. and globally. These attacks involve attempting to access multiple accounts using a single or commonly used password, increasing the chances of success without triggering account lockouts. Additionally, the state-sponsored hackers have stolen sensitive data from a limited number of victims in sectors such as defense, satellite, and pharmaceuticals. APT33 has a history of cyber-espionage dating back to at least 2013, targeting a range of industries in countries like the United States, Saudi Arabia, and South Korea. In addition to password spraying, the attackers also exploited vulnerabilities in Confluence and ManageEngine appliances exposed online to infiltrate their targets' networks, demonstrating a multi-pronged approach to their cyber activities. After achieving their initial successes, the APT33 hackers employed the AzureHound and Roadtools open-source security frameworks for conducting reconnaissance on the victims' Azure Active Directory and extracting data from their cloud environments. They further utilized compromised Azure credentials, established new Azure subscriptions on the victims' tenancy, and leveraged Azure Arc to maintain persistence, enabling control over on-premises devices within the victims' network.

Security Officer Comments:
The APT33 actors were observed employing various techniques for their operations, including using Golden SAML attacks for lateral movement, establishing persistence with AnyDesk, loading custom malicious DLLs to execute malicious payloads, and utilizing the EagleRelay tunneling tool to route malicious traffic to their command-and-control (C2) infrastructure. Microsoft suggests that this initial access campaign likely serves the purpose of gathering intelligence in support of Iranian state interests, based on the targeted victim organizations and observed intrusion activities. The company also notes that many of the cloud-based tactics, techniques, and procedures (TTPs) observed in these recent campaigns exhibit a higher level of sophistication compared to Peach Sandstorm's previous capabilities. As Microsoft's Identity Security Director, Alex Weinert, highlighted three years ago, password spray attacks are prevalent, constituting over a third of enterprise account compromises. In July 2021, the NSA reported that the Russian APT28 military hacking group conducted password spray attacks on U.S. government and Department of Defense agencies from Kubernetes clusters. Months later, in October 2021, Microsoft identified the Iran-linked DEV-0343 and Russian-sponsored Nobelium groups carrying out password spray attacks on defense tech companies and managed service providers (MSPs).

Suggested Correction(s):
To harden an attack surface against Peach Sandstorm activity, Microsoft recommends defenders implement the following:

  • Reset account passwords for any accounts targeted during a password spray attack. If a targeted account had system-level permissions, further investigation may be warranted.
  • Revoke session cookies in addition to resetting passwords
    • Revoke any multifactor authentication (MFA) setting changes made by the attacker on any compromised users’ accounts
    • Require re-challenging MFA for MFA updates as the default
  • Implement the Azure Security Benchmark and general best practices for securing identity infrastructure, including:
    • Create conditional access policies to allow or disallow access to the environment based on defined criteria.
    • Block legacy authentication with Microsoft Entra ID by using Conditional Access. Legacy authentication protocols don’t have the ability to enforce MFA, so blocking such authentication methods will prevent password spray attackers from taking advantage of the lack of MFA on those Enable AD FS web application proxy extranet lockout to protect users from potential password brute force compromise.
  • Secure accounts with credential hygiene:
    • Practice the principle of least privilege and audit privileged account activity in your Microsoft Entra ID environments to slow and stop attackers.
    • Deploy Microsoft Entra ID Connect Health for Active Directory Federation Services (AD FS). This captures failed attempts as well as IP addresses recorded in AD FS logs for bad requests in the Risky IP report.
    • Use Microsoft Entra ID password protection to detect and block known weak passwords and their variants.
    • Turn on identity protection in Microsoft Entra ID to monitor for identity-based risks and create policies for risky sign ins.
  • Use MFA to mitigate successful password spray attacks. Keep MFA always-on for privileged accounts and apply risk-based MFA for normal accounts.
  • Consider transitioning to a passwordless primary authentication method, such as Azure MFA, certificates, or Windows Hello for Business.
  • Secure RDP or Windows Virtual Desktop endpoints with MFA to harden against password spray or brute force attacks.
Securing critical assets like AD FS servers is a high-value measure to protect against golden SAML attacks. The guidance provided below is applicable beyond just Peach Sandstorm activity and can help organizations harden their attack surfaces against a range of threats.

It’s critical to treat your AD FS servers as a Tier 0 asset, protecting them with the same protections you would apply to a domain controller or other critical security infrastructure. AD FS servers provide authentication to configured relying parties, so an attacker who gains administrative access to an AD FS server can achieve total control of authentication to configured relying parties (include Microsoft Entra ID tenants configured to use the AD FS server). Practicing credential hygiene, notably the recommendations provided above, is critical for protecting and preventing the exposure of highly privileged administrator accounts. This especially applies on more easily compromised systems like workstations with controls like logon restrictions and preventing lateral movement to these systems with controls like the Windows Firewall. Link(s):