Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets | Microsoft Security Blog

MITRE Techniques

• [T1110.001] Password Spraying – Between February and July 2023, Peach Sandstorm carried out a wave of password spray attacks attempting to authenticate to thousands of environments. “Between February and July 2023, Peach Sandstorm carried out a wave of password spray attacks attempting to authenticate to thousands of environments.”
• [T1087] Account Discovery – AzureHound and Roadtools used to conduct reconnaissance in Microsoft Entra ID. “AzureHound, a Go binary that collects data from Microsoft Entra ID and Azure Resource Manager through the Microsoft Graph and Azure REST APIs, as a means of gathering information on a system of interest.”
• [T1583] Acquire Infrastructure – Creation of new Azure subscriptions and use of cloud resources to facilitate persistence and communication. “In cases where Microsoft observed this particular intrusion chain, the threat actor used one or more persistence mechanisms. In some cases, Peach Sandstorm created a new Azure subscription on a target’s tenant and/or leveraged previously compromised Azure resources.”
• [T1090] Proxy – EagleRelay-based tunneling of traffic between actor-controlled systems and targets’ systems. “In these instances, Peach Sandstorm created a new virtual machine in a compromised Azure subscription. These virtual machines were used to run EagleRelay, a custom tool, to tunnel traffic between actor-controlled systems and targets’ systems.”
• [T1190] Exploit Public-Facing Application – Exploitation attempts against publicly facing apps (Zoho ManageEngine, Confluence). “In this wave of activity, Peach Sandstorm also attempted to exploit vulnerabilities with a public proof-of-concept (POC) in Zoho ManageEngine or Confluence, to access targets’ environments.”
• [T1550] Forge SAML Tokens – Golden SAML attack to access cloud resources. “In a March 2023 intrusion, Peach Sandstorm conducted a Golden SAML attack to access a target’s cloud resources.”
• [T1574.001] DLL Search Order Hijacking – Use of a legitimate VMware executable to carry out a search order hijack. “DLL search order hijacking allows adversaries to introduce malicious code into an environment in a way that blends in with normal activity.”
• [T1021.001] Remote Services – Lateral movement via remote services including RDP; AnyDesk used for persistence. “In a handful of environments, Peach Sandstorm used EagleRelay to tunnel traffic back to their infrastructure. In at least one intrusion, Microsoft also saw Peach Sandstorm attempting to move laterally in a compromised environment using remote desktop protocol (RDP).”