The Iranian nation-state group known as MuddyWater has been observed directing destructive attacks on hybrid environments under the guise of a ransomware operation. The name is not to be confused with McKinley Morganfield (April 4, 1913 – April 30, 1983), known professionally as Muddy Waters, was an American blues singer and musician. Iran could be singing the blues if they keep this up.
According to new findings from the Microsoft Threat Intelligence team, which discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster named DEV-1084. "While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation," researchers disclosed.[1]
MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country's Ministry of Intelligence and Security (MOIS). It's been known to be active since at least 2017. The cybersecurity community also tracks it under various names, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix.
Cybersecurity investigators, in a profile of Cobalt Ulster, note that it is not uncommon to "inject false flags into code associated with their operations" as a distraction in an attempt to muddy attribution efforts. Attacks mounted by the group have primarily singled out Middle Eastern nations, with intrusions observed over the past year leveraging the Log4Shell flaw to breach Israeli entities.
The latest findings from researchers reveal the threat actor probably worked with DEV-1084 to execute the espionage attacks, the latter of which conducted the destructive actions after MuddyWater successfully gained a foothold in the target environment. "Mercury likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage," noted researchers.
In the activity detected, DEV-1084 abused highly privileged compromised credentials to perform encryption of on-premise devices and large-scale deletion of cloud resources, including server farms, virtual machines, storage accounts, and virtual networks. The threat actors gained full access to email inboxes through Exchange Web Services, using it to perform "thousands of search activities" and impersonate an unnamed high-ranking employee to send messages to internal and external recipients.
The actions are estimated to have transpired over roughly three hours, starting at 12:38 a.m. (when the attacker logged into the Microsoft Azure environment via compromised credentials) and ending at 3:21 a.m. (when the attacker sent emails to other parties after the successful cloud disruption). The DEV-1084 refers to the same threat actor that assumed the "DarkBit" persona as part of a ransomware and extortion attack aimed at Technion, a leading research university in Israel, in February. Last month, the Israel National Cyber Directorate attributed the attack to MuddyWater. DEV-1084 [...] presented itself as a criminal actor interested in extortion, likely attempting to obfuscate Iran's link to and strategic motivation for the attack.
The links between Mercury and DEV-1084 originate from infrastructure, IP address, and tooling overlaps, with the latter observed using a reverse tunneling utility called Ligolo, a staple MuddyWater artifact. There is not enough evidence to determine if DEV-1084 operates independently of MuddyWater and collaborates with other Iranian actors or if it's a sub-team that's only summoned when there is a need to conduct a destructive attack.
Investigators described MuddyWater as a "conglomerate" comprising several smaller clusters rather than a single, cohesive group. The emergence of DEV-1084 suggests a nod in this direction. While these teams seem to operate independently, they are all motivated by the same factors aligning with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on their target victims.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2023/04/iran-based-hackers-caught-carrying-out.html
Comments