The APT33 Iranian hacking group has used new Tickler malware to backdoor the networks of organizations in the government, defense, satellite, oil and gas sectors in the United States and the United Arab Emirates.
As Microsoft security researchers observed, the threat group (also tracked as Peach Sandstorm and Refined Kitten), which operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC), used this new malware as part of an intelligence collection campaign between April and July 2024.
Throughout these attacks, the threat actors leveraged Microsoft Azure infrastructure for command-and-control (C2), using fraudulent, attacker-controlled Azure subscriptions that the company has since disrupted.
APT33 breached targeted organizations in the defense, space, education, and government sectors following successful password spray attacks between April and May 2024. In these attacks, they attempted to gain access to many accounts using a small number of commonly used passwords to avoid triggering account lockouts.
“While the password spray activity appeared consistently across sectors, Microsoft observed Peach Sandstorm exclusively leveraging compromised user accounts in the education sector to procure operational infrastructure. In these cases, the threat actor accessed existing Azure subscriptions or created one using the compromised account to host their infrastructure,” Microsoft said.
The Azure infrastructure they gained control of was used in subsequent operations targeting the government, defense, and space sectors.
“In the past year, Peach Sandstorm has successfully compromised several organizations, primarily in the aforementioned sectors, using bespoke tooling,” Microsoft added.
The Iranian threat group also used this tactic in November 2023 to compromise the networks of defense contractors worldwide and deploy FalseFont backdoor malware.
In September, Microsoft warned of another APT33 campaign that had targeted thousands of organizations worldwide in extensive password spray attacks since February 2023, leading to breaches in the defense, satellite, and pharmaceutical sectors.
Microsoft has announced that starting October 15, multi-factor authentication (MFA) will be mandatory for all Azure sign-in attempts to protect Azure accounts against phishing and hijacking attempts.
The company has previously found that MFA allows 99.99% of MFA-enabled accounts to resist hacking attempts and reduces the risk of compromise by 98.56%, even when attackers attempt to breach accounts using previously compromised credentials.