Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,371
- Points
- 113
Iranian hackers are throwing sand in the eyes of strategic organizations around the world.
Microsoft researchers discovered a series of attacks using a special password matching method, conducted by the APT33 group, also known as Peach Sandstorm, Holmium, Elfin and Magic Hound. The main goals are organizations in the space industry, defense, and pharmaceutical industries.
The APT33 group has been known since 2013. Initially, it was aimed at the aviation industry and energy companies associated with the production of petrochemical products. The vast majority of victims were in the Middle East, but there were also incidents in the US, South Korea and Europe.
From February to July 2023, hackers attacked thousands of organizations around the world. "Microsoft estimates that the initial stage of gaining access is probably used to gather intelligence information for the benefit of Iran," the published report says.
For attacks, we chose the method of "password dispersion", in which the same combination is applied to a large number of accounts. This approach avoids the automatic blocking of accounts, which is usually triggered when multiple unsuccessful attempts to enter a password are made. After successful authentication, the attackers used various tools to search for valuable information inside the compromised systems.
The key feature of the campaign was the use of anonymized TOR IP addresses and a specific user agent "go-http-client", which made it more difficult to identify and prosecute criminals.
Hackers used the AzureHound and Roadtools tools to scout Microsoft's Entra ID (formerly Azure Active Directory).
An Azure Arc client was installed on the compromised device and connected to an Azure subscription controlled by Peach Sandstorm. You can use Azure Arc to monitor devices on your organization's local network from your cloud.
The group also tried to exploit vulnerabilities in Zoho ManageEngine (CVE-2022-47966) and Atlassian Confluence (CVE-2022-26134) products to access the systems.
Microsoft researchers discovered a series of attacks using a special password matching method, conducted by the APT33 group, also known as Peach Sandstorm, Holmium, Elfin and Magic Hound. The main goals are organizations in the space industry, defense, and pharmaceutical industries.
The APT33 group has been known since 2013. Initially, it was aimed at the aviation industry and energy companies associated with the production of petrochemical products. The vast majority of victims were in the Middle East, but there were also incidents in the US, South Korea and Europe.
From February to July 2023, hackers attacked thousands of organizations around the world. "Microsoft estimates that the initial stage of gaining access is probably used to gather intelligence information for the benefit of Iran," the published report says.
For attacks, we chose the method of "password dispersion", in which the same combination is applied to a large number of accounts. This approach avoids the automatic blocking of accounts, which is usually triggered when multiple unsuccessful attempts to enter a password are made. After successful authentication, the attackers used various tools to search for valuable information inside the compromised systems.
The key feature of the campaign was the use of anonymized TOR IP addresses and a specific user agent "go-http-client", which made it more difficult to identify and prosecute criminals.
Hackers used the AzureHound and Roadtools tools to scout Microsoft's Entra ID (formerly Azure Active Directory).
An Azure Arc client was installed on the compromised device and connected to an Azure subscription controlled by Peach Sandstorm. You can use Azure Arc to monitor devices on your organization's local network from your cloud.
The group also tried to exploit vulnerabilities in Zoho ManageEngine (CVE-2022-47966) and Atlassian Confluence (CVE-2022-26134) products to access the systems.
