An Iranian state-sponsored cyber actor, known as APT33, has been observed using a new malware, dubbed ‘Tickler’, to backdoor the networks of critical infrastructure organizations in both the U.S. and United Arab Emirates (UAE).
Throughout these attacks, which spanned April to July 2024, APT33 leveraged fraudulent, attacker-controlled Azure subscriptions to serve as the command-and-control (C2) infrastructure for the Tickler backdoor, previously obtained through password spraying attacks and compromised credentials.
Microsoft has since disrupted this infrastructure, halting Tickler’s ability to send information and receive commands.
The backdoor was deployed against targets in the government, defense, satellite/space, and oil and gas sectors of the United States and the UAE.
Source: Bleeping Computer
Analysis
Iranian state-sponsored cyber actors have been extremely busy in the last few months attempting to fulfill their country’s intelligence requirements and conducting influence operations.
Just last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that Iran intends to sow doubt on the integrity of democratic institutions in the U.S. and use cyber operations to collect intelligence in relation to the upcoming U.S. federal election.
The targeting of U.S. and UAE-based networks in the government, defense, satellite/space, and oil and gas sectors aligns with Iran’s intelligence priorities. Companies that operate in these sectors should be aware that they are of interest to nation-state cyber actors, and thus should take a heightened cybersecurity posture.
For example, these companies should enable multi-factor authentication on their accounts so that attack vectors, such as the password spraying used in the Tickler campaign, are closed. Had this been the case, APT33 would not have been able to have easily secured the infrastructure required for this campaign.
Mitigation
Field Effect’s Security Intelligence team constantly monitors the cyber threat landscape for threats emanating from countries like Iran. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these state-sponsored cyber actors pose.
Field Effect MDR users are automatically notified when various types of malicious activities are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect encourages users to enable MFA on every account unless there is a legitimate business reason not to do so.
Related Articles