One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8565625 |
| Date de publication | 2024-08-27 19:48:07 (vue: 2024-08-28 19:18:24) |
| Titre | Peach Sandstorm déploie de nouveaux logiciels malveillants de chatouillement personnalisés dans les opérations de collecte de renseignements de longue date Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations |
| Texte | #### Targeted Geolocations - United Arab Emirates - United States - North America - Middle East #### Targeted Industries - Education - Government Agencies & Services - Energy - Communications Infrastructure ## Snapshot Microsoft has observed the Iranian state-sponsored threat actor Peach Sandstorm deploying a custom multi-stage backdoor called Tickler in attacks against targets in the satellite, communications equipment, oil and gas, and government sectors in the United States and the United Arab Emirates. Additionally, Peach Sandstorm has conducted password spray attacks targeting the educational sector for intelligence collection. They have also engaged in intelligence gathering and possible social engineering on LinkedIn. This report aims to raise awareness of Peach Sandstorm\'s evolving tradecraft and educate organizations on how to protect against such threats. ## Activity Overview Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates. This activity is consistent with the threat actor\'s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations. Peach Sandstorm also continued conducting [password spray attacks](https://www.microsoft.com/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/) against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection. In addition, Microsoft observed intelligence gathering and possible social engineering targeting organizations within the higher education, satellite, and defense sectors using the professional networking platform LinkedIn. Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) based on the group\'s victimology and operational focus. Microsoft further assesses that Peach Sandstorm\'s operations are designed to facilitate intelligence collection in support of Iranian state interests. Microsoft tracks Peach Sandstorm campaigns and directly notifies customers who we observe have been targeted or compromised, providing them with the necessary information to help secure their environment. As part of our continuous monitoring, analysis, and reporting on the threat landscape, we are sharing our research on Peach Sandstorm\'s use of Tickler to raise awareness of this threat actor\'s evolving tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity. Microsoft published information on unrelated election interference linked to Iran in the most recent [Microsoft Threat Analysis Center (MTAC) report](https://blogs.microsoft.com/on-the-issues/2024/08/08/iran-targeting-2024-us-election/). #### Evolution of Peach Sandstorm tradecraft In past campaigns, Peach Sandstorm has been observed to use password spray attacks to gain access to targets of interest with a high level of success. The threat actor has also conducted intelligence gathering using LinkedIn, researching organizations and individuals employed in the higher education, satellite, and defense sectors. During the group\'s latest operations, Microsoft observed new tactics, techniques, and procedures (TTPs) following initial access using password spray attacks or social engineering. Between April and July 2024, Peach Sandstorm deployed a new custom multi-stage backdoor, Tickler, and leveraged Azure infrastructure hosted in fraudulent, attacker-controlled Azure subscriptions for command-and-control (C2). Microsoft continuously monitors Azur |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #### ##### **© *kernell32 *network *peach *registry *yahsat 0e2jyl6 100 ` 14:50 2021 2023 2024 2024** 20240421 20365 20ad/analytic 20compromise 20defender/discovery/enumeration 20defender/discovery/smb 20defender/remotemanagementmonitoring/rmm 20discovery 20email 20entra 20essentials/analytic 20financial 20for 20fraud/hunting 20groups 20id/analytic 20in 20lateral 20movement 20network 20of 20queries/microsoft 20queries/new 20rules/anomaly 20rules/dcsync 20rules/signinpasswordspray 20schema 20session 20shares 20smb 20traffic 20users 22017c9b022e6f2560fee7d544a83ea9e3d85abee367f2f20b3b0448691fe2d4 256: 256: 25` 28asim 365/security/defender 3Y638tNTTE 3ee7jfmgzszsx 42aa 432e 4ae3 4bc4 4vuu6jvhqai 56ac00856b19b41bc388ecf749eb4651369e7ced0529e9bf422284070de457b6 5R082FYQSFWPPQ 5df4269998ed79fbc97766303759768Ce89ff1412550B35ff32E85db3c1F57b 5df4269998ed79fbc997766303759768ce89ff1412550b35ff32e85db3c1f57b 5pcdko9txdkg 5 ` 62174fb374d1 657f 6kxufu4z6wwzdztlwg3snp6g6mfczlbsm7zrdmc6eaizyioyt089xk3dbcm70cuyizft6xxpf5elptgqxpka3eqli9da3hke 6n5 711D3DECCCCC22f5ADD3A41B8C8DEFBBB111DB0F2B474FDC7F20A468F6DB0350 711d3deccc22f5acfd3a41b8c8defb111db0f2b474febdc7f20a468f67db0350 77a4 77xuvqqcq41yx35nsbnvyc9qpzdqvvb2thm2knjvdqcy5njxchvh17xp7yit7bzhdcxc3tuufcxcj1m3tfp4futgjns13 7b2E9E8CD450FC353323fd2E8B84FBBDFE061A8441fd71750250752c57D198 7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198 8b35 8e3f 99nyk05 9e7d108c 9vlctvwywzhqqdld ;union ` C7fda8c0082D08CEC4 CFOQCCM6NFO DWS1Puu143h9MH2HM7QteHzCratflrzdm20 Domainlist Dynamic EDEB40BA5CEA76F37F Filehash Filehashes GPFZX2L Hi9kzlsMPCXOHSYDMMMFZX J6oyz2LFVC4 JLYIKWBE JY1ZROZQ14TZFVGURHXIL OP28IHEDTX8MBZ2WBHTLBKRZRQY59YPXJLEVCDX Satellite2 Subreviefs Timestamp Timrangeid U9smbqcbe4z2klydff9wam1p0yfjawblhc5icxocwygvhjocwmmm9iwoh4jrhi2rs ULVCE4LQBOJDNAC3Z9MHGN9THPJLUC1VSS4M2U Union WDYDZF2BZPAIZPAIZIN5AINZ4GX5WIIS WFPC7C `DevicefileVents `Devicevevents` `Let `devicenetworkinfo ` `identitylogonevents ` `w3ciislog ` `|Project `|Where ` ` ` a1fd a3e3 ability above abuse ac3a access access/overview accessed account accountobjectid accounts acquisition across actions actiontype active activity actor actors added addition additional additionally address addresses adds adfs administrative administrators advantage adversaries affected aforementioned after again against age agencies agent ago ahju1hvwgxwxaauwtignfihjonrmxp5lahiwn39wq2z4xovviek4lqro06pgi1lly8azxpi aims alerts all allow along alongside also always america amp; amplified analysis analytics analyzed anomaly anonymous another antivirus any anydesk app appear appeared application applications apply apps apps/anomaly april arab archive are artifacts assesses associated attack attacker attackers attacks attempt attempted attempts atypical audit australia authenticate authentication automatic automatically available awareness azure azuread azureedge azurewebsites b53f back backdoor backdoor:win64/tickler backdoors bad ban based batch bca892898972 been befzdvcn0pffjs7zm6258v begins behalf behavior behavior: behind below benchmark benign bespoke best between billing/view binaries bit block blocking both brute business business/hello c/c++ c2s c83882f6f9c3 called campaign campaigns can capabilities captures card cards carrying cases ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4 center centersoftwaresupports certificates chain chain* challenging chances change changes changing check client” cloud coalesce collected collection collects com com/account com/azure/active com/azure/azure com/azure/security/fundamentals/identity com/azure/sentinel/sentinel com/defender com/entra/id com/entra/identity/authentication/tutorial com/help/linkedin/answer/a1425416 com/microsoft com/on com/purview/audit com/security/benchmark/azure/ com/security/blog/2023/09/14/peach com/security/operations/incident com/v2/advanced com/windows com/windows/security/identity command commands: commercial common commonly communications company compiled compliance comply components compromise compromised compromising conditional con |
| Tags | Malware Tool Threat Legislation Cloud Commercial |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.