APT33's Range of Attacks from Password Spraying to Proficiency in Azure

Iranian state-sponsored threat actor APT33, also known as Elfin, HOLMIUM, Peach Sandstorm, and Refined Kitten, has been actively targeting various sectors, including aerospace, defense, education, government, oil and gas, and satellites, from April to July 2024. Identified by Microsoft, this latest campaign reveals the group's primary objective, which is intelligence gathering. Recent campaigns have utilized password spraying attacks to operate more stealthily and avoid account lockouts, as opposed to brute-force attacks. Peach Sandstorm's activities include deploying a custom backdoor malware known as Tickler and leveraging Azure infrastructure. They have also masqueraded as students, developers, and talent acquisition managers on LinkedIn to gather targets and compromise accounts.

APT33's use of password spraying in their attacks dates back to at least February 2023. "In April and May 2024, Microsoft observed Peach Sandstorm conducting password spray attacks targeting organizations in the US and Australia's defense, space, education, and government sectors. In particular, Peach Sandstorm continued to use the 'go-http-client' user agent that they are known to leverage in password spray campaigns," Microsoft reports. A notable discrepancy was found based on APT33's industry targets; Microsoft observed that "the password spray activity appeared consistently across sectors, Microsoft observed Peach Sandstorm exclusively leveraging compromised user accounts in the education sector to procure operational infrastructure." Where organizations had available Azure infrastructure, the Iranian operators accessed existing Azure subscriptions or created new ones using compromised accounts. There were instances of the threat actors establishing Azure tenants and adding newly created Azure for Students subscriptions within these tenants. Azure resources were also established, allowing them to set up command-and-control (C2) infrastructure for their operations.

Further aiding their C2 capabilities, the Tickler malware, with samples discovered in July 2024, was deployed in .zip files attempting to masquerade as PDF files. The malware collects network system information from the compromised host, downloads, and executes batch scripts using reg.exe to add persistence in the Run registry key as a file called "SharePoint.exe." Additional post-compromise activities by APT33 included employing SMB for lateral movement within compromised networks and downloading remote monitoring and management (RMM) tools like AnyDesk to maintain persistence. Additionally, Peach Sandstorm was observed taking Active Directory snapshots using AD Explorer, a technique used against a Middle East-based satellite operator, to gather detailed information about the compromised environment.

Given the wide range of threat capabilities demonstrated by APT33, Microsoft offers safeguards and guidance to counter the threats the group poses. Among the recommendations, the most significant is the implementation of multifactor authentication (MFA). Microsoft announced that on October 15, 2024, the company will implement mandatory MFA for all Azure sign-in attempts in an effort to safeguard accounts.