Search This Blog

Showing posts with label MuddyWater. Show all posts

Iran Based MuddyWater Attacks Israel Companies

What is MuddyWater?

A threat actor from Iran named "Muddy Water" (called by Microsoft MERCURY) has been elevating the abuse of Log4j2 vulnerabilities in SysAid applications to attack organizations in Israel. 

Microsoft security researchers released the news advisory and said on Thursday that they analyzed (with high confidence) that MERCURY's observed operations were linked with Iran's Ministry of Intelligence and Security (MOIS). 

On July 23 and 25, 2022, MERCURY was found using exploits against a vulnerable SysAid Server as its initial access vector. According to the observations from earlier campaigns and flaws found in victim environments, the researchers have assessed that the exploits used were most probably related to Log4j.2. 

Microsoft links attack to Iranian Hackers

Microsoft said it assesses with moderate confidence that MERCURY exploited remote code execution vulnerabilities in Apache Log4j 2 (also referred to as “Log4Shell”) in vulnerable SysAid Server instances the targets were running. MERCURY has used Log4j 2 exploits in past campaigns as well. 

MSTIC assesses with high confidence that MERCURY is coordinating its operations in affiliation with Iran’s Ministry of Intelligence and Security (MOIS). According to the US Cyber Command, MuddyWater, a group we track as MERCURY, “is a subordinate element within the Iranian Ministry of Intelligence and Security.”

As a matter of fact, the novel campaign found by Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team is different from earlier MERCURY variants as it is the only one in which the group exploits SysAid apps as a vector for earlier access. 

How does Mercury work?

Once MERCURY has gained access, it creates persistence, dumps credentials, and travels laterally within the victim organization via custom and popular hacking tools and built-in operating system tools for its hands-on-keyboard attacks. 

Microsoft has also added a list of common techniques and tooling used by MERCURY, these include spearphishing, along with programs like Venom proxy tool, the Ligolo reverse tunneling technique, and home-grown PowerShell programs. 

What next?

Microsoft confirmed that it informed customers that have been hit or targeted, giving them the info required to protect their accounts. Microsoft has also given a list of indicators of compromise (IOCs) linked to MERCURY's activity. 

Microsoft isn't the first company that has linked MERCURY with Iranian state actors. At the beginning of this year, both U.K. and U.S. governments released warnings linking the group with the state's MOIS. 

"We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems," said Microsoft. 

Polonium Assaults Against Israeli Organizations were Blocked by Microsoft


Microsoft stated it has banned a hacking gang known as Polonium, based in Lebanon, from utilizing the OneDrive cloud storage platform for data exfiltration and command and control while attacking and compromising Israeli firms. The internet giant's Threat Intelligence Center (MSTIC) stated it stopped over 20 malicious OneDrive apps built by Polonium and alerted affected companies, in addition to erasing the criminal accounts created by the Lebanon-based entity. 

"Across the majority of its victims, this attacker has deployed unique tools that abuse lawful cloud services for command and control (C2)." as per Microsoft's research. "POLONIUM was seen generating and using legal OneDrive accounts, then using those accounts as C2 to carry out part of the offensive operation," says the report. 

POLONIUM has been seen operating on or targeting various organizations previously penetrated by the Iran-linked MuddyWater APT (aka MERCURY). 

Since February 2022, the antagonistic group is thought to have breached more than 20 Israeli institutions and one intergovernmental body with operations in Lebanon. Manufacturing, IT, transportation, defense, government, agriculture, finance, and healthcare companies were among the targets of interest, with one cloud service provider hacked to target a downstream aviation company and law firm in a supply chain attack.

Unpatched Fortinet FortiOS SSL VPN servers vulnerable to CVE-2018-13379 exploits leveraging a critical path traversal weakness allowing login credentials theft appear to represent the first access vector for the vast majority of victims, according to Microsoft. In November 2020, a hacker disclosed the passwords for nearly 50,000 vulnerable Fortinet VPNs, just days after a list of CVE-2018-13379 one-line exploits was publicly disclosed. 

A list of roughly 500,000 Fortinet VPN passwords supposedly harvested from susceptible devices was posted online again almost a year later. The actor's campaign chains have included the usage of proprietary tools that use genuine cloud services like OneDrive and Dropbox accounts for C2 and malicious tools named CreepyDrive and CreepyBox for its victims.

This isn't the first time Iranian threat actors have used cloud services to its advantage. Cybereason revealed in October 2021 that a group called MalKamak organized an attack campaign that use Dropbox for C2 communications to remain under the radar. 

MSTIC also stated that several of the victims penetrated by Polonium had previously been targeted by another Iranian entity known as MuddyWater (aka Mercury), which the US Cyber Command has described as a "subordinate element" under MOIS. The victim overlaps support previous reports that MuddyWater is a "conglomerate" of several teams similar to Winnti (China) and the Lazarus Group (North Korea). 

Customers are encouraged to implement multi-factor authentication as well as analyze and audit partner relations to minimize any superfluous permissions to combat such risks.

 Iran's MuddyWater Hacker Group is Exploiting New Malware


According to a notice issued by US security and law enforcement authorities, Iran-linked cyber activities are targeting a variety of government and private organizations in several areas across Asia, Africa, Europe, and North America.

"MuddyWater actors are poised to deliver stolen data and access to the Iranian government, as well as to share them with other cybercriminal actors," the agencies stated. The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the National Cyber Security Centre of the United Kingdom have issued a combined advisory (NCSC) in the regard.

This year, the cyber-espionage actor was revealed to be working for Iran's Ministry of Intelligence and Security (MOIS), conducting malicious operations against a wide range of state and private organisations in Asia, Africa, Europe, and North America, including telecommunications, defence, local government, and the oil and natural gas sectors. 

MuddyWater is also known by the aliases Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP. Aside from publicly disclosed vulnerabilities, the hacker group has already been seen using open-source tools to get access to sensitive information, deliver ransomware, and maintain resilience on victim networks. 

Late last month, Cisco Talos conducted a follow-up analysis and discovered a previously unknown malware campaign focused on Turkish private and governmental entities with the purpose of delivering a PowerShell-based backdoor. In harmful operations, MuddyWater actors use new variations of PowGoop malware as its main loader, which consists of a DLL loader and an Operating system downloader. The malicious programme poses as a valid Google Update executable file and is signed as such. 

A surveying script to identify and send data about target PCs back to the remote C2 server rounds out MuddyWater's arsenal of weapons. A newly discovered PowerShell backdoor was also installed, which is used to perform actions obtained from the attacker. 

The agencies advise enterprises to utilise multi-factor authentication whenever possible, limit the usage of administrator credentials, deploy phishing defences, and prioritise correcting known exploited vulnerabilities to provide barriers against potential attacks.

Iranian APT MuddyWater Targets Turkish Public and Government Entities


Cisco Talos discovered a brand new malicious campaign of MuddyWater threat group which is targeting Turkish public and Turkish government entities, including the Scientific And Technological Research Council of Turkey — Tubitak. 

According to the technical details, the campaign includes the use of malicious excel documents (XLS maldocs) and executables stored on a file hosting domain "snapfile[.]org", PDFs to serve as the initial infection vector. These PDFs were designed in such a way as to look like legitimate documents sent from the Turkish Health and other officials. 

"This campaign utilizes malicious PDFs, XLS files, and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise," Cisco Talos researchers Asheer Malhotra and Vitor Ventura reported. 

Famous for its attacks in the Middle East region, MuddyWater Advanced Persistent Threat (APT) is also known as Static Kitten, Seedworm, Mercury. The group has been active since at least 2017. However, the group attacked many entities in Central and Southwest Asia, as well as against numerous government and privately-owned organizations from Asia, Europe, and North America. 

Besides, the group also targets telecommunications, cryptocurrency, oil, and airline industries. The cyber research unit has identified that the group uses a typical TTP and there's heavy use of scripting in their infection chains and that they also use languages like PowerShell and Visual Basic coupled with the frequent use of living-off-the-land binaries (LoLBins). 

Additionally, the unit has also discovered the use of flags or tokens in attacks. These flags and tokens are signals for their successful infection mission. Flags and Tokens are hidden inside the malicious files or within the email itself, and it signals the malicious group when the target opens the bait and runs the macro included within it. 

“Canary tokens are tokens that can be embedded in objects like documents, web pages, and emails. When that object is opened, an HTTP request to is generated, alerting the token’s owner that the object was opened”, researchers added. 

The study said that the Campaigns carried out by the threat group aim to achieve three outcomes: Espionage, Intellectual property theft, and Ransomware attacks.

Iranian Hacking Group Targets Several Middle East Companies Via Malicious Campaign


Security researchers at Trend Micro found proof of malicious activity by ‘MuddyWater’ automatically programmed tool (APT) that has aimed at Middle East organizations by utilizing the ScreenConnect remote management tool.

Security analysts at Trend Micro have dubbed ‘Earth Vetala’ the recently detected campaign. However, the latest finding expands on previous research published by Anomali last month. MuddyWater is an Iranian hacking group known for its offensives primarily against Middle Eastern nations.

Key findings from this investigation 

The details discovered by security researchers are listed below:

• The campaign is currently stealing all the credentials from browsers like Chrome, Chromium, Firefox, Opera, Internet Explorer, and Outlook. 

• The campaign is said to have leveraged spear-phishing emails containing embedded links to an authorized file-sharing service. 

• The goal of this campaign is to spread all the malicious packages that generally carry remote tools (ScreenConnect and RemoteUtilities) to manage all the enterprise systems remotely. 

Security researchers have discovered a spear phishing email supposedly from a government agency. However, these emails direct victims to a .ZIP file that contains a legitimate remote administration software developed by RemoteUtilities, which is capable of downloading and uploading files, capturing screenshots, browsing files and directories, and executing and terminating processes. 

Earth Vetala has been appropriating the post-exploitation that involves password/process- dumping tools, and customer backdoors. The threat actors have been perceived as instating communications with a command-and-control (C2) server to execute obfuscated PowerShell scripts. 

Security researchers at Trend Micro said the targets of the new wave of attacks are mainly organizations located in countries including Bahrain, Israel, Azerbaijan, Saudi Arabia, and the United Arab Emirates

In one particular instance involving a compromised host in Saudi Arabia, the researchers discovered that the adversary tried to unsuccessfully configure SharpChisel – a C# wrapper for a TCP/UDP tunneling tool called chisel – for C2 communications, before installing a remote access tool, a credential stealer, and a PowerShell backdoor capable of implementing arbitrary remote commands.