Iranian Hacking Group Unleashes New Backdoor to Infiltrate Space Industry

APT 33 is a hacking group backed by the Iranian government, and Microsoft calls them “Peach Sandstorm.” This group has been a major player in international cyber espionage for over a decade. The group has been known to target a host of public and private organizations, including critical infrastructure, using both simple and sophisticated attack methods. Among their arsenal are strategic but straightforward tactics like “password spraying,” as well as the development of more complex malware intended for industrial disruption. Now, according to new research by Microsoft, Peach Sandstorm is expanding its cyber capabilities, now promoting a newly discovered multistage backdoor dubbed “Tickler.”

“Tickler” is a malware tool specifically engineered for the remote functioning of infected networks. The aforementioned backdoor is then utilized by Peach Sandstorm once the initial access was gained by means of password spraying or social engineering tactics. In recent months, this malware has been seen in an operation against targets across a number of sectors, including those operating in the satellite communications, oil and gas, as well as several government agencies within the United States and the United Arab Emirates. The development and deployment of Tickler represent a focused effort on the part of Peach Sandstorm toward the realization of very specific objectives on both the espionage and operational fronts.

In addition to using the Tickler malware, Peach Sandstorm has also been employing low-tech but high-yielding password-spray attacks. This technique involves trying common or leaked passwords across thousands of accounts in an effort to gain unauthorized access. This tool has been utilized by the group against over one thousand entities since February of 2023. For instance, Microsoft announced that it observed Peach Sandstorm targeting entities spanning from the U.S. to Australia from April to May of 2024, and focusing on a diverse set of companies in the space, defense, government, and education sectors. All these go on to show that there is a continued strategic interest in attacks against these industries that are critical to national security and technological progress.

Another dimension regarding the activities of Peach Sandstorm involves social engineering, and this is through LinkedIn. The group had started building fake profiles on LinkedIn since November 2021, where it impersonated students, software developers, and talent acquisition managers. The objective of these fake profiles was the gathering of information in an intelligence collection effort to be used in the future to target social engineering, possibly against higher education and satellite sectors. Microsoft has discovered and then taken down those fake accounts. But the fact that such methods persist gives further proof to the multifaceted approach of Peach Sandstorm on intelligence collection.

Microsoft has further taken a proactive approach in the detection and notification of the targeted customers of Peach Sandstorm being those of account password spraying attacks as well as those infected by the Tickler Malware. This says they are conversant and also flexible with the contemporary cloud-based systems since the Azure subscriptions had been tampered to run the victims cloud infrastructures. “While these might seem new targets for Peach Sandstorm, this cluster has had a sustained interest in satellite-related targets,” said Sherrod DeGrippo, threat intelligence director of Microsoft. “They’ve had previous operations that showed a strong focus on targets in the satellite, defense and pharmaceutical sectors across the globe.”

Spyware Tools from NSO and Intellexa Used in Russian Government Hacks

Google has just revealed that Russian government hackers have been actively using exploits identical or closely similar to those created by spyware makers Intellexa and NSO Group. The significance of this lies in the fact that it emphasizes that exploits developed by commercial spyware vendors present dangers if they fall into the hands of malicious actors, including nation-state hackers. How exactly it was that the Russian government came to possess these exploits is not known, but it all calls into serious question the larger issue of the possible misuse of such tools for espionage and other acts of malice. The hacking group, known as APT29, is commonly linked to Russia’s SVR Foreign Intelligence service.

This is part of a fairly well-documented history of APT29 cyber espionage campaigns against high-profile organizations, including technology titans such as Microsoft and SolarWinds, among others, and numerous foreign governments. This is part of a campaign with some similarity to earlier ones that have been linked to APT29, which has involved the implantation of exploit code within websites belonging to the Mongolian government. Visitors to the infected websites, including those related to foreign and military affairs, between November 2023 and July 2024 ran the risk of having their devices compromised and their data being stolen in what is referred to as a “watering hole” attack. The vulnerabilities exploited in this campaign had already been addressed in updates for the Safari browser on iPhones and Google Chrome on Android devices.

There are still unpatched devices, suggesting the existence of a threat from out-of-date software. In this regard, with relation to iPhones and iPads, attacks were executed through Safari in the stealing of user cookies that could later be used to access their email accounts with the Mongolian government. Android users are exposed to a dual-exploit attack that is meant to steal Chrome browser cookies to support a similar unauthorized access. Google’s Threat Analysis Group (TAG), led by security researcher Clement Lecigne, identified a strong link between the exploit code used in this campaign and that previously observed in a 2021 operation by APT29.

This link has provoked Google to attribute the attack to that single group, raising suspicion that even the exploit code came from sources linked with Intellexa and NSO Group. What gives him pause is not so much the reuse of such advanced exploit code, but how those tools were acquired in the first place—whether by purchase, theft, or some other method. After all, technologies by NSO Group and Intellexa are typically sold to vetted government agencies only. To this day, Lecigne is clueless as to how Russian hackers could have possibly purchased the use of these exploits, although he outlines several theories—ranging from the potential that the code had been purchased post-patch to the possibility of having been stolen from another customer.

NSO Group, responding to inquiries about the case, would neither confirm selling their products to Russia nor detail which government entities it contracts with. However, the incident underscores the risks involved in using such powerful cyber tools. In response to this, Google said it’s time for its users to promptly patch the software to avoid being victims of similar attack. They also said that iPhone and iPad users with Lockdown Mode turned on were not vulnerable to the attack, regardless of whether they were running the software versions that contained the exploit.

Iranian Hacker Collective Targeting Politicians Exposed by Meta

Meta Platforms, the owner company of Facebook, Instagram, and WhatsApp, recently discovered an Iranian state-sponsored hacker group that was operating. The group is named APT42 and, among many other names, is called Charming Kitten and Mint Sandstorm.

It uses WhatsApp accounts to target individuals in many countries worldwide, including Israel, Palestine, Iran, the U.K., and the U.S. Most of these cyber attacks have been directed at political and diplomatic figures, among other public figures, around and within the current Biden administration and its predecessor, the Trump administration.

In addition, there is a connection between APT42 and Iran’s IRGC. It has the finesse of using state-of-the-art social engineering with deceptive campaigns, causing the victim to reveal their information. These would be spear-phishing campaigns to infect targets with malware and harvest credentials. Recently, cybersecurity firm Proofpoint reported that APT42 had tried to hack the computer of a prominent Jewish figure using AnvilEcho malware.

The specific campaign found by Meta involved a “small cluster” of WhatsApp accounts that falsely represented themselves as technical support for major tech companies, such as AOL, Google, Yahoo, and Microsoft. Despite those attempts, Meta said the campaign was largely unsuccessful, and there was no evidence to suggest the accounts were actually accessed. Even so, the company has made the out-of-an-abundance-of-caution decision to ban such nefarious accounts and advise the impacted parties to take additional steps to lock down their online accounts.

ARRL Pays $1 Million Ransom to Restore Encrypted Systems

A recently reported cybersecurity incident now shows that the American Radio Relay League, the so-called National Association for Amateur Radio, paid a $1 million ransom following a ransomware attack this past May. The ransomware attack resulted in the encryption of systems in ARRL, which mandated it to immediately and proactively put the affected systems offline in order to manage the breach. The ARRL took the incident as a high-end ransomware attack managed by an international cyber syndicate.

The data breach, though extremely serious, was contained within only an estimated 150 employees of the ARRL, as per the report submitted by it to the Office of Maine’s Attorney General. The ARRL has since informed those affected through breach notification letters, and it is also revealed that the attack was first noticed on the 14th of May. While the body did not reveal the identity of the attackers at first, it later came to light through sources conversant with the issue that the ransomware gang, Embargo, was behind the attack.

In their notification, ARRL pointed out that they had implemented measures that could prevent further distribution or publication of data, which should be able to infer the ransom payment that they apparently expect them to make. In later communications, the station manager said that ARRL had paid the ransom, specifically noting that it was not “because of a concern for data disclosure but to obtain a “decryption tool that [the attackers] say is required to restore their systems.” Indeed, the ransom demand was substantial, and there had been communication with the attacker earlier about the nature of ARRL as a non-profit and limited organization financially.

The attacker obviously operated under a misapprehension here. This negotiation process was so much tensed and protracted because of the constant strategic interaction that went on between the ARRL and the attackers.  After a reasonable period of denial and resistance, ARRL agreed to make a payment, which was $1 million, but a large part of the money, along with the restoration cost, was accommodated from the insurance policy that ARRL possessed.  This financial accommodation was crucial in providing some kind of relief in the burden associated with the payment of the ransom and enabled the organization to focus on the recovery process.

This has been ongoing, with ARRL getting back into its systems. With all critical infrastructure now restored, the organization says it will take another two months to fully reintegrate all the servers affected, notably those used for internal purposes. Restoration is now being done per new guidelines and standards on infrastructure developed to avoid such in the future.

Hackers Reportedly Seize Over 380GB of U.S. Marshals Secret Files

The hacking group Hunters International has claimed to have taken away over 380 GB of vital data from the U.S. Marshals Service, which includes confidential documents covering gangs, active cases, and information related to electronic surveillance. According to reports from the cybersecurity firm Hackmanac, the hacking group published pictures of some allegedly stolen records on the data leak site. Hackmanac sent these screenshots to Gizmodo and claimed that Hunters International exfiltrated more than 327,000 documents from the federal law enforcement agency. The ransom is expected to be paid by August 30.

Other documents that Hunters International are believed to have stolen include files related to “Operation Turnbuckle,” a marshals operation reported on in 2022 that led to upwards of a dozen arrests of drug trafficking suspects in upstate New York. Members also posted screenshots of gang-related files and active case files, all of which appeared to contain headshots and detailed information about suspects. These disclosures had caused widespread concern over the potential exposure of sensitive law enforcement operations and the safety of those involved.

The U.S. Marshals Service had already suffered another cyber incident in just early February 2023, with a ransomware attack that put the service out of action for several months. At this stage, it’s unclear if the USMS incident was part of the data breach Hunter International alleges.

Sofia Scozzari, CEO of Hackmanac, commented that while the source of the data the hackers claimed to have stolen remained less certain, the timing of the claim raised suspicious circumstances of a correlation between the two.

The U.S. Marshals Service said they are aware of the allegations and have reviewed the materials posted online. “Materials reviewed so far do not appear to relate to any recent or unrevealed security breach,” according to a statement from an agency spokesman, Brady McCarron, which would mean that the agency believes the breach may relate to older, previously known vulnerabilities or data sets rather than new ones. Hunters International is a relatively new player in the cybersecurity threat landscape, with researchers first identifying it as a threat group in October 2023.

Their emergence shortly after the February 2023 attack on the U.S. Marshals Service has raised speculation around their origins and connections. According to some cybersecurity experts, Hunters International is a rebranding of the Hive ransomware group, which was busted open and targeted by the FBI after a six-month investigation that ended in January 2023. However, Hunters International claims it bought and upgraded Hive’s malware, and it doesn’t directly descend from Hive.

Critical Microsoft Office Zero-Day Flaw Exposes Sensitive Data

Microsoft has just disclosed a zero-day vulnerability in its Office suite, identified as CVE-2024-38200, which currently remains unpatched. If exploited, this vulnerability could allow unauthorized access to sensitive information. Classified as a spoofing flaw, it carries a high CVSS severity score of 7.5. The affected versions include Microsoft Office 2016, Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, and Microsoft Office 2019. This vulnerability was discovered and reported by security researchers Jim Rush and Metin Yunus Kandemir.

In a web-based attack scenario, the exploit could be carried out by hosting a specially crafted file on a website or using a compromised site that hosts user-provided content. The attack would require the user to be tricked into clicking a link sent via email or instant messaging, leading to the opening of the malicious file. This suggests that, despite the severity of the vulnerability, its successful exploitation heavily relies on social engineering tactics, making it somewhat less likely to be executed without user interaction.

Microsoft has acknowledged the issue and announced that a formal patch for CVE-2024-38200 will be included in the upcoming Patch Tuesday updates scheduled for August 13. In the meantime, an alternative fix has been implemented through a process known as Feature Flighting, enabled on July 30, 2024. While this interim fix provides some protection, users are advised to apply the final patch as soon as it becomes available for optimal security.

To mitigate the risks associated with this vulnerability, Microsoft has outlined three specific strategies. First, configuring the “Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers” policy setting can help manage outgoing NTLM traffic, which is particularly vulnerable to certain types of attacks. Second, adding users to the Protected Users Security Group will prevent NTLM from being used as an authentication mechanism, thereby reducing the risk of exploitation. Finally, blocking TCP 445/SMB outbound traffic at the network perimeter, through local firewalls or VPN settings, will prevent NTLM authentication messages from being sent to remote file shares.

In addition to addressing CVE-2024-38200, Microsoft is also working on fixing two other zero-day vulnerabilities, CVE-2024-38202 and CVE-2024-21302. These bugs could potentially be used to “unpatch” up-to-date Windows systems, effectively reintroducing older vulnerabilities. This highlights a critical challenge in cybersecurity—patched systems can still be at risk if attackers find ways to bypass or undo security updates. Moreover, a recent report by Elastic Security Labs revealed that attackers have been using a technique called LNK stomping for over six years to run malicious applications without triggering Windows security warnings.

Iranian Cyber Group APT42 Targets U.S. Presidential Campaigns

The most recent reports indicate that the Iranian hackers targeted both Trump and Biden’s presidential campaigns. In particular, they are suspected to be a group referred to as APT42 and to work on behalf of the Revolutionary Guard Corps (IRGC) of Iran. This campaign was not targeted toward one political side, as both Democratic and Republican campaigns have been targeted by these cyber operations. The Threat Analysis Group at Google recently discovered that APT42 had been trying to compromise about a dozen individuals associated with the campaigns, current, and former government officials. Such an unusually wide targeting reflects an interest on the part of Iran in both campaigns because of the crucial role these figures normally play in defining U.S. policy towards the Middle East.

The activities of APT42 are part of a bigger trend in cyber espionage that goes beyond spying. Neither candidate appears to have a favor from the collective, yet the interest shown by both campaigns in reaching out to these voters indicates something meaningful about the interests of the Iranian government in these two political figures. Their activities appear to be far-reaching, ranging from phishing operations designed to entice users to enter their login credentials and other sensitive information at fraudulent websites to much less benign activities. APT42 has historically been identified targeting Israeli organizations also, which are, of course, tangentially associated with elections in the US.

Central to the story is the implication that the sensitive files stolen were from the Trump campaign, with reports that some of them were even being offered to big news outlets. At any rate, while there has been no confirmation as of yet linking APT42 to this breach, it’s an incident that brings many similarities to Russia’s 2016 hack-and-leak operation against Hillary Clinton’s campaign. This could be taken to mean that APT42 activities extended beyond normal espionage to what is known as an influence operation, a form of information warfare that tries to affect the emotions, objective reasoning, or behavior of people or institutions.

Google and Microsoft themselves were hard at work in recent times cutting down those threats by blocking scores of login attempts and informing all who were affected. FBI investigates the phishing attacks too, denoting the seriousness of the cyber threats. However, despite these efforts, the continued importance that APT42 placed on compromising campaign officials once again underlined how persistent and dynamic cyber operations can be. In many ways, the actions of APT42 remain illustrative of a larger trend within international cyber espionage: multiple state-sponsored hacking groups are actively involved in election interference and political processes across the globe. Quite a leap of scale from the sort of influence operations that were historically regarded as a Russian specialty.

4TB of Consumer Data Stolen in National Public Data Hack

A community of cybercriminals, Breachforums, announced in July 2024 that over 4 TB of data had been compromised. That data is being reported as originating from the Florida-based nationalpublicdata.com, which specializes in the collection of consumer information and background check processing. The first announcement was made regarding the breach back in April 2024 by a cybercriminal named “USDoD,” who was selling the data for $3.5 million. Leaked data contained in the billions of rows spanned information from names, addresses, and phone numbers to Social Security Numbers.

An analysis by HaveIBeenPwned.com and the cybercrime-focused Twitter account vx-underground confirmed that the leaked data was indeed the same as what was first offered for sale by USDoD. The records in that data contained a mixture of consumer and business records, some including tens of millions of Americans’ personal information, both living and deceased. The database leak also included 70 million rows from a U.S. criminal records database. Some news outlets reported that the breach involved 2.9 billion people, which is false; this is the number of data rows rather than the number of people. Nationalpublicdata.com publicly declared a data breach in August 2024. At the time, they said that a third-party hacker likely gained access to their data at the end of December 2023.

Company representatives said the breach potentially exposed names, email addresses, phone numbers, SSNs, and mailing addresses. Assuring the public, they also said they have cooperated with law enforcement and deployed more security measures to prevent such incidents in the future. The number of SSNs compromised, however, is not mentioned in the release. Further analysis reveals that the breach included 272 million unique SSNs and names and addresses. What’s interesting is that a significant percentage of the breached records were related to older patients, with an average age of 70, and millions of records linked to people who would be over 120 years old today.

This somehow suggests that part of the data could belong to deceased individuals, which is a small silver lining in an otherwise severe breach. It underlines the vulnerabilities immanent to the industry of data brokerage, in which big companies collect and sell masses of personal information with minimal oversight or security measures. Previous similar breaches over the past years involved PeopleConnect and People Data Labs, which highlighted the widespread risks and long-term consequences of such data spills. In many cases, the data that gets compromised ends up with scammers for purposes of identity theft and other forms of fraud, usually at a cost transferred to consumers.

Hidden Backdoor Flaw Found in Android Phones Sold by Google

A little-known, insecure feature in Google’s master software for some Android phones was discovered embedded. The firm iVerify detected the feature in devices at a U.S. intelligence contractor and said the control allowed potential spying or remote control of users. According to researchers from that firm, the feature in question appears to give deep access for showing the devices to employees at stores selling Pixel and other Android models. This discovery has raised major concerns, especially in the intelligence contractor community, with companies such as Palantir Technologies discontinuing the issuing of Android phones to all their employees.

Perhaps the most apprehensive would be Palantir Technologies, a data analysis platform company, which discovered the problem first and that Google had not brought about any solution for mobile security. Dane Stuckey, the Chief Information Security Officer at Palantir Technologies, was visibly a very concerned man about mobile security. He clearly needed trust in devices used by his employees. In and of itself, the very fact that it contained third-party, unvetted software was an egregious breach of trust by Palantir—this case being on Google Android phones. In fact, the company more or less made its own organization abstain from using Android devices until these problems were sorted out. An application, a file in this case by the name of Showcase.apk, that is usually inactive but can be loaded when certain conditions are met represents a high security risk.

iVerify could install the application on a device, which signifies that any talented hacker could do so from afar. Worst of all, upon installing, the application would even attempt to download directions from an insecure website, making it susceptible to man-in-the-middle type attacks where hackers could capture and change instructions that the user is attempting to send to the device. Theoretically, this could be used by cyber criminals to inject malicious code or spyware into the system. In a reply to the discovery, Google stated that an update would be published to erase the application from all Pixel devices in support of it. The company’s representative, Ed Fernandez, stated that the company would also take additional steps to make the issue known to distributors of the other Android phones.

This response was also over 90 days later following the first contact made by iVerify to Google regarding the same which begs questions about what was being done, the implications thereof, and the possible harm in the meantime. Broad security issues in demonstrating an application such as Showcase.apk are the installed software for the devices, which means that at least some—such as Google’s Pixel phones—are designed to be secure. After all, this is an application found on devices designed and controlled directly by Google, which is responsible for issuing timely security updates. It was reportedly created by Smith Micro Software, the company specializing in remote access and parental control tools, though they did not respond to questions as to how such an app came to reside on Android devices.

Hackers Expose Voting Machine Flaws, No Quick Fix

While the DEF CON conference in August has been a critical venue for pointing out security weaknesses in voting machines, there has been a big challenge in addressing the identified vulnerabilities in a timely manner. Despite ongoing efforts by hackers—who come together at DEF CON’s “Voting Village” to uncover these weaknesses—the long process required to fix these issues means that changes often aren’t implemented until the next election cycle. This is especially problematic as we near the 2024 election, given both increased concerns about foreign interference and lingering claims—unsubstantiated by any evidence—of election fraud arising from the 2020 presidential election. At DEF CON’s Voting Village, hackers and election officials come together to try out the security of some voting machines and other equipment.

Participants attempt to break into the firewalls and security features of these systems, identifying the various loopholes that might be used to their detriment. However, this event is conducted with tight security, given the previous experience of the harassment that it has received from election denialists who consider the hackers’ revelation as a grave threat to democracy. In this respect, this exercise is not of much predicament as it has gained attention in Washington and found to be an essential source in enhancing the safety of the voting systems. As in past years, participants in the Voting Village have turned up a host of vulnerabilities in voting machines; a detailed report on these findings will be released soon. This is happening at a time when there are increased concerns about foreign and criminal interference in U.S. elections.

While no concrete evidence has been put forth regarding foreign cyber-attacks to disrupt the voting machines or the results for that matter. Risks are raised through this slow process of addressing vulnerabilities, mostly mitigated by the likelihood of a need for manufacturers to approve fixes and recertify systems. Organizers and participants in the Voting Village bemoan how slowly changes come. Despite years of identified vulnerabilities, the major issue at hand was the fact that vendors of voting machines were perceived not to be moving very quickly to address these issues. The complex, lengthy, and laborious system of voting system certification explains well the difficulty inherent in establishing necessary updates within the necessary timeframe before an election.

This problem is further compounded by the fact that voting machines are often wrapped up and put into lock down weeks before the actual vote; this is rather problematic for addressing newly found problems in the system. There are proposals to streamline the process of fixing vulnerabilities in voting machines, such as creating more formalized partnership between vendors and security researchers. One prominent model along this line was a joint project of the Elections Industry Special Interest Group, which brought vendors together with hackers to build trust and establish protocols for coordinated vulnerability disclosure. Although these were important, the problems for assuring voting systems remained very significant.