Malware Activity
New Backdoor “Tickler” Used Against Government and Defense Sectors
Microsoft security researchers have observed a new custom multi-stage backdoor named “Tickler” deployed by threat actor Peach Sandstorm between April and July 2024. Peach Sandstorm – or APT33 – is believed to operate on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) based on the group’s victimology. Researchers have observed Tickler used in attacks against satellite, communications equipment, oil and gas, and federal and state government sectors in both the United States and United Arab Emirates. In the attacks deploying Tickler, Peach Sandstorm also leveraged Azure infrastructure hosted in fraudulent attacker-controlled Azure subscriptions for command-and-control (C2). The Azure infrastructure used by Peach Sandstorm was procured by compromising user accounts in the education sector, which allowed the threat actor to create Azure for Students subscriptions and create resources to use as the C2 for Tickler. Compromised user accounts were achieved through password spray attacks between April and May 2024 targeting the defense, space, education, and government sectors in the US and Australia. Researchers at Microsoft identified two samples of the Tickler malware, each built to collect network information from the compromised host to send back to the attacker via HTTP POST requests. The backdoor is also capable of executing commands, deleting files, and transferring files to and from the attacker-controlled C2 server. Microsoft has announced that starting October 15, 2024, multi-factor authentication (MFA) will be mandatory for all Azure sign-in attempts. For organizations in targeted sectors, CTIX analysts recommend reviewing audit logging for suspicious sign-in activity and performing threat hunting for the indicators of compromise (IOCs) provided by Microsoft. CTIX analysts will continue to report on new and emerging malware and associated campaigns.
Threat Actor Activity
Volt Typhoon Exploiting Versa Zero-Day
Chinese state-backed hacking group, Volt Typhoon, has been accused as the culprit behind a series of cyberattacks exploiting a zero-day vulnerability in the Versa Director network management platform, tracked as CVE-2024-39717. The flaw was patched in Versa Director version 22.1.4 but affects all prior versions. Volt Typhoon has a history of targeting critical infrastructure in the U.S. and other nations. In this campaign, the group used the vulnerability to upload a custom web shell named VersaMem, designed to intercept and harvest credentials from compromised servers. This web shell, which avoided detection by antivirus software, allowed the attackers to execute arbitrary malicious code and maintain a persistent presence on the targeted networks. The attacks primarily targeted four (4) U.S. victims and one (1) non-U.S. victim in the Internet service provider (ISP), managed service provider (MSP), and information technology (IT) sectors. The earliest known exploitation of the vulnerability was detected in June 2024, observed in Singapore. Volt Typhoon's use of small office/home office (SOHO) devices to route network traffic and evade detection aligns with their known tactics, techniques, and procedures (TTPs). The group's sophisticated methods include leveraging Java instrumentation to inject malicious code into the Tomcat web server process on compromised Versa Director servers, enabling them to execute further attacks using already harvested credentials. The U.S. government and cybersecurity agencies have been vigilant in addressing the threats posed by Volt Typhoon, considering the group's potential to disrupt critical infrastructure and military mobilization efforts. The White House, Defense Department, and other agencies have raised alarms about the group's preemptive efforts to gain strategic footholds in U.S. infrastructure. Mitigation measures recommended by CTIX analysts include applying the necessary patches, blocking external access to specific ports (4566 & 4570), and monitoring for suspicious network traffic, especially traffic originating from SOHO routers. Organizations are advised to segment vulnerable devices within protected networks to prevent exposure to public internet threats.
- Bleeping Computer: Volt Typhoon Article
- The Record: Volt Typhoon Article
- The Hacker News: Volt Typhoon Article
Vulnerabilities
Fortra Patches Critical Password Vulnerability in FileCatalyst Workflow
Fortra has recently addressed a critical security vulnerability in its FileCatalyst Workflow software, which presents a severe risk to users due to a hardcoded password flaw. This vulnerability, tracked as CVE-2024-6633 (CVSS score 9.8/10), enables remote attackers to gain unauthorized access to an internal HyperSQL database (HSQLDB) through TCP port 4406, a default setting in the software. By exploiting this flaw, attackers can potentially access sensitive information stored in the database and even create new admin-level users, granting them complete control over the FileCatalyst Workflow application. This issue affects all versions of FileCatalyst Workflow up to and including version 5.1.6 Build 139 and was first identified by Tenable. Tenable discovered that the static password "GOSENSGO613" is hardcoded across all deployments and cannot be changed by users through conventional means. This makes the vulnerability particularly dangerous as it leaves systems exposed to significant exploitation risks. The HSQLDB, which is only intended to facilitate the installation process and is not meant for production use, remains vulnerable if users do not configure an alternative database as recommended by Fortra. Recognizing the severity of the situation, Fortra has released an urgent patch in version 5.1.7, which not only addresses CVE-2024-6633 but also fixes a high-severity SQL injection vulnerability (CVE-2024-6632) that could allow unauthorized modifications to the database during the setup process. Given the high level of access this flaw could provide to cybercriminals and the lack of available mitigations or workarounds, CTIX analysts strongly advises all users to upgrade to the latest version immediately to defend their systems from potential attacks. This situation underscores the importance of adhering to security best practices and promptly applying patches to prevent large-scale compromises, particularly in environments where Fortra products are used, as these are often targeted by attackers due to their critical roles in corporate networks.
The semi-weekly Ankura Cyber Threat Investigations and Expert Services (CTIX) FLASH Update is designed to provide timely and relevant cyber intelligence about current or emerging cyber events. The preceding is a collection of cyber threat intelligence leads assembled over the past few days and typically includes high-level intelligence about recent threat group/actor activity and newly identified vulnerabilities impacting a wide range of industries and victims. Please feel free to reach out to the CTIX Team (ctix@ankura.com) if additional context is needed.
© Copyright 2024. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice