According to Microsoft Threat Research, during a campaign by Iranian state-sponsored actor Peach Sandstorm, they were observed utilizing password spray attacks to gain unauthorized access to target environments. Active since February 2023, the campaign successfully targeted satellite, defense, and pharmaceutical sectors.
Besides password spraying, Peach Sandstorm also exploited remote code execution (RCE) vulnerabilities in Zoho ManageEngine (CVE-2022-47966) and Atlassian Confluence (CVE-2022-26134) for gaining initial access.
Once they gained a foothold in a target environment, they employed a mix of publicly available and custom tools for reconnaissance, persistence, and lateral movement. Operating from Tor IPs with a go-http-client user agent, they were seen leveraging tools like AzureHound and Roadtools for reconnaissance while exploiting Azure resources for persistence. In at least one incident, Peach Sandstorm conducted a Golden SAML attack to access a target’s cloud resources.
Peach Sandstorm also made use of compromised Azure credentials, created new subscriptions within the victims' Azure tenants, and abused Azure Arc for persistence purposes to control devices in victims' on-premises networks.