Dark
Light

Microsoft detects new tickler malware attacking satellite devices

1 min read
56 views





TLDR:

Microsoft observed a new tickler malware attack on satellite devices by the state-sponsored threat actor Peach Sandstorm. The malware disrupted communication and data breaches, affecting industries in the US and UAE. The attacker used fake Azure subscriptions and set up C2 infrastructure to conduct post-compromise activities such as lateral movement and data gathering.

Article:

Cybersecurity researchers at Microsoft recently discovered that Peach Sandstorm, a state-sponsored threat actor affiliated with the IRGC, added Tickler, a new multistage backdoor, to their arsenal between April and July 2024. The threat actors attack satellite devices because they are vital for modern facilities, such as military and global communications. The perpetrators of such attacks can take advantage of satellite systems by compromising them, which disrupts communication and data breaches, as well as affects navigation and timing information. This custom malware hit Satellite, communication, oil or gas, and government industries across the US and UAE.

At the same time, Peach Sandstorm was performing password spray attacks against organizations in the defense, space, education, and government sectors in the US and Australia. The group also conducted intelligence gathering through LinkedIn using fake profiles. Two samples of Tickler malware were identified, with the first sample disguised as a PDF and the second downloading additional payloads and malicious DLLs.

Peach Sandstorm established C2 infrastructure by creating Azure tenants with student subscriptions and set up multiple azurewebsites[.]net domains as C2 nodes. Post-compromise activities included lateral movement in a European defense organization, AnyDesk installation attempts, and AD snapshot capture via malicious ZIP on Microsoft Teams in a Middle East satellite operator.

Microsoft recommended mitigations such as resetting passwords, implementing Azure Security Benchmark, securing accounts with the least privilege, enabling cloud protection, educating users on sign-in security, and transitioning to passwordless authentication.


Previous Story

Defending consumer data after recent security breaches

Next Story

Beware of ManticoraLoader Malware targeting Citrix users for data theft

Latest from News