Iranian nation-state threat group APT33 attempted to infiltrate thousands of organizations — sometimes successfully — in a months-long global password spray campaign.
In a threat intelligence post Thursday, Microsoft said the group’s campaign began in February and used more sophisticated tactics, techniques, and procedures (TTPs) than its previous attacks.
“Based upon the profile of victim organizations targeted and the observed follow-on intrusion activity, Microsoft assesses that this initial access campaign is likely used to facilitate intelligence collection in support of Iranian state interests.”
The advanced persistent threat (APT) group — which is also tracked as Peach Sandstorm, Holmium, and Refined Kitten — has shown a particular interest this year in compromising satellite, defense and pharmaceutical organizations.
Password spraying involves attempting to log into multiple accounts from one organization by trying a limited number of commonly used passwords. (As opposed to brute force attacks that bombard a single account with numerous login attempts).
Microsoft said in cases where APT33 was successful in breaching its targets, the group used a combination of publicly available and custom tools for discovery, persistence and lateral movement. Data was also exfiltrated in a “small number” of the intrusions Microsoft observed.
The tools APT33 employed included AzureHound and Roadtools which were used to conduct reconnaissance in Microsoft Entra ID (formerly Azure Active Directory).
“The same features that make these tools useful to legitimate users, like pre-built capabilities to explore and seamlessly dump data in a single database, also make these tools attractive options for adversaries seeking information about or from a target’s environment,” Microsoft said.
In some cases, APT33 created new Azure subscriptions and used the access they provided to carry out additional attacks and maintain persistence on target organizations’ environments.
ManageEngine and Confluence bugs exploited
In a second wave of activity, APT33 attempted to exploit two well-known vulnerabilities to gain access to their targets’ environments.
The first was a remote code execution (RCE) bug affecting Zoho ManageEngine products (CVE-2022-47966) that was recently abused by North Korea’s Lazarus Group and an unknown group that targeted a U.S. aeronautical organization.
The second vulnerability was a RCE bug in Atlassian’s Confluence Server and Data Center (CVE-2022-26134).
When APT33 was successful in breaching organizations in its favored defense, satellite and pharmaceuticals sectors, Microsoft observed the threat actor carry out a range of post-compromise activities.
In some intrusions it deployed AnyDesk, a legitimate remote monitoring and management tool that can be abused by cybercriminals to remotely access a network, persist in a compromised environment and enable command-and-control.
“The convenience and utility of a tool like AnyDesk is amplified by the fact that it might be permitted by application controls in environments where it is used legitimately by IT support personnel or system administrators,” Microsoft said.
While APT33 has previously relied heavily on password spraying to breach target organizations, the additional cloud-based TTPs it deployed in its latest campaigns were “materially more sophisticated” than those it had used in the past, Microsoft said.
Earlier this week, ESET revealed details of a campaign by another Iranian APT group. Charming Kitten carried out a “scan-and-exploit” campaign targeting vulnerable Microsoft Exchange servers that impacted at least 34 organizations, mostly in Israel.