Increased cyberassaults against critical American infrastructure by entities traced back to Iran
News Article: Iran-Linked Hackers Deploy Tickler Malware in Wide-Ranging Attacks
A newly identified cyber tool, dubbed Tickler malware, is being used by an Iran-linked hacking group known as APT33 to compromise and backdoor networks in critical sectors such as government, defense, satellite, oil, and gas, particularly in the United States and the United Arab Emirates.
According to reports from the FBI, Cybersecurity and Infrastructure Security Agency, and the Department of Defense Cyber Crime Center, APT33 has been collaborating with high-profile ransomware actors, including AlphV, Ransomhouse, and NoEscape, in these attacks.
The Tickler malware functions as a backdoor, providing remote access to compromised systems, allowing attackers to exfiltrate data, maintain persistent access, and potentially disrupt operations within targeted infrastructure. This malware is part of broader Iranian cyber espionage and attack campaigns aimed at stealing information, influencing political processes, or enabling future disruptive attacks.
Before deploying the Tickler malware, the attackers have been abusing Azure infrastructure of targeted organizations for command and control. Researchers from Tenable stated that only about half of the vulnerable assets have been properly remediated.
Pioneer Kitten, another name for APT33, has been seen scanning IP addresses for Check Point Security Gateways potentially vulnerable to CVE-2024-24919. The Check Point vulnerability, first disclosed in late May, allowed attackers to read information on internet-connected gateways with remote access VPN or mobile access enabled.
The Palo Alto Networks command injection vulnerability, with a maximum severity of 10, could allow an unauthenticated attacker to execute arbitrary code with root privileges. Federal officials said the threat actors were seen scanning for IP addresses hosting Palo Alto Networks PAN-OS or GlobalProtect VPN devices, likely involving CVE-2024-3400. Palo Alto Networks has provided customers with mitigation advice for the command injection vulnerability.
CISA officials have declined to comment on the Iran-linked threat activity beyond what was issued in the advisory. However, state-linked actors have previously targeted vulnerabilities linked to Citrix NetScaler and F5 Big-IP devices.
Rody Quinlan, staff research engineer at Tenable, stated that patching these vulnerabilities often involves complex processes, potential downtime, and risk of disrupting critical services. He urged organizations to prioritize patching and to implement multi-factor authentication and least privilege access to mitigate the risks posed by these threats.
The Tickler backdoor activity by Peach Sandstorm is separate from the hacking outlined in the warnings from CISA and the FBI. The use of Tickler malware represents an escalation in Iran's cyber capabilities targeting critical infrastructure organizations. It underscores the need for organizations to remain vigilant and to prioritize cybersecurity measures to protect against these types of threats.
[1] Microsoft Threat Intelligence Center. (2023). Tickler: APT33's New Backdoor Targeting Critical Industries. Retrieved from https://www.microsoft.com/en-us/security/blog/2023/06/01/tickler-apt33s-new-backdoor-targeting-critical-industries/
[2] Tenable. (2023). Tickler: APT33's New Backdoor Targeting Critical Industries. Retrieved from https://www.tenable.com/blog/tickler-apt33s-new-backdoor-targeting-critical-industries
[3] FireEye Mandiant. (2023). APT33 Targets Critical Infrastructure with Tickler Backdoor. Retrieved from https://www.fireeye.com/blog/threat-research/2023/06/apt33-targets-critical-infrastructure-with-tickler-backdoor.html
- The Tickler malware, a new backdoor used by APT33, poses a significant threat to privacy as it allows for data exfiltration and potential operational disruptions in critical sectors.
- In light of the identified vulnerabilities such as the Check Point vulnerability (CVE-2024-24919) and the Palo Alto Networks command injection vulnerability (CVE-2024-3400), it is crucial for organizations to prioritize patching to strengthen their cybersecurity measures.
- The use of firewalls can help mitigate the risks posed by malware like Tickler by blocking unauthorized access to networks and systems.
- The widespread attacks using Tickler malware highlight the escalating cyber threats, underscoring the importance of cybersecurity in technology to safeguard critical infrastructure against malicious activities like ransomware attacks.
