APT33 utilised the new Tickler malware to breach defence orgs

August 30, 2024
Tickler Malware APT33 UAE US Cybercriminals Hacking

The Iran-based advanced persistent threat group APT33 has used the new Tickler malware to acquire access to the networks of firms in the government, defence, satellite, oil, and gas sectors in the United States and the United Arab Emirates.

Based on reports, this APT group, also known as Refined Kitten, leveraged this new malware as part of an intelligence-collecting campaign between April and July 2024. Moreover, these attackers used Microsoft Azure infrastructure throughout these operations for C2 via fraudulent attacker-controlled Azure subscriptions.

Between April and May, APT33 infiltrated targeted organisations in the defence, space, education, and government sectors using effective password spray tactics. Moreover, these attackers attempted to acquire access to several accounts with few commonly used passwords to evade account lockouts.

While password spraying occurred consistently across these different sectors, Microsoft discovered that the attackers only used compromised user accounts in the school sector to get operational infrastructure.

In these instances, Microsoft revealed that the threat actor used the compromised account to access existing Azure subscriptions or establish new ones to host their infrastructure. The Azure infrastructure they took over was employed in subsequent operations aimed against the government, defence, and space industries.

 

APT33 has hacked numerous businesses for the past year, even before introducing the Tickler malware into the cybercriminal landscape.

 

According to reports, APT33 has effectively hacked multiple businesses over the last year despite not using the Tickler malware. In November last year, this Iranian threat group utilised this approach to breach defence companies’ networks worldwide and launch the FalseFont backdoor software.

In September, Microsoft warned of another APT33 campaign that targeted thousands of businesses globally in a widespread password spray operation that started in February 2023. These attacks resulted in breaches in the defence, satellite, and pharmaceutical industries.

On the other hand, Microsoft assured everyone that by October 15, all Azure sign-in attempts will require MFA to protect Azure accounts from phishing and hijacking attempts.

This reinforcement will effectively safeguard users from phishing and takeover attacks. Therefore, users should enable this feature, if possible, so that all software avoids being a victim of cybercriminal activities.

About the author

Leave a Reply