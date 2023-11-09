In a recent disclosure, Microsoft revealed that a state-sponsored Iranian threat group, known as APT33, has been actively conducting password spraying attacks against thousands of organizations worldwide since February 2023. This highly sophisticated cyber-espionage group, also referred to as Peach Sandstorm, HOLMIUM, or Refined Kitten, has a track record of targeting entities across various sectors, including government, defense, research, finance, and engineering.

Password spraying attacks involve attempting to authenticate multiple accounts using a single password or a commonly used list of passwords. This technique allows threat actors to increase their chances of success while minimizing the risk of triggering account lockouts. In this campaign, APT33 aimed to gain unauthorized access to a vast number of environments.

Microsoft’s Threat Intelligence team reported that APT33’s primary focus during this operation has been organizations in the satellite, defense, and pharmaceutical sectors. While the majority of attacks involved password spraying, the group also exploited vulnerabilities in Confluence and ManageEngine appliances to infiltrate target networks.

Once inside, APT33 employed various tactics, including using AzureHound and Roadtools open-source security frameworks, compromised Azure credentials, and abuse of Azure Arc for persistence, to gain control over victims’ networks. They also utilized techniques such as Golden SAML attack for lateral movement, AnyDesk for persistence, sideloading custom malicious DLLs for executing payloads, and EagleRelay for tunneling malicious traffic to their command-and-control infrastructure.

Microsoft’s assessment suggests that the goal of these attacks is to facilitate intelligence collection in support of Iranian state interests. The company noted that the TTPs (tactics, techniques, and procedures) used by APT33 in this campaign represent an evolution in sophistication compared to their previous activities.

These findings highlight the ongoing threat posed by state-sponsored hacking groups and the need for organizations to remain vigilant in protecting their networks and sensitive information. Password spraying attacks, in particular, continue to be a popular method for compromising enterprise accounts. Implementing strong, unique passwords, enforcing multi-factor authentication, and regularly patching software vulnerabilities are essential mitigation measures to defend against such attacks.

It is worth mentioning that this is not the first time that password spraying attacks originating from foreign threat actors have been exposed. Previously, Russian APT28 and DEV-0343, as well as the Russian-sponsored Nobelium group, have been linked to similar attacks against US government agencies, defense companies, and managed service providers.

Overall, the discovery of APT33’s extensive cyber campaign serves as a reminder of the critical need for organizations and cybersecurity professionals to remain proactive in their efforts to detect, prevent, and respond to advanced persistent threats.