CIO News Hubb
Advertisement
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact
No Result
View All Result
CIO News Hubb
No Result
View All Result
Home Information Security

Iran-Based Hackers Caught Carrying Out Destructive Attacks Under Ransomware Guise

admin by admin
April 10, 2023
in Information Security


The Iranian nation-state group known as MuddyWater has been observed carrying out destructive attacks on hybrid environments under the guise of a ransomware operation.

That’s according to new findings from the Microsoft Threat Intelligence team, which discovered the threat actor targeting both on-premises and cloud infrastructures in partnership with another emerging activity cluster dubbed DEV-1084.

“While the threat actors attempted to masquerade the activity as a standard ransomware campaign, the unrecoverable actions show destruction and disruption were the ultimate goals of the operation,” the tech giant revealed Friday.

MuddyWater is the name assigned to an Iran-based actor that the U.S. government has publicly connected to the country’s Ministry of Intelligence and Security (MOIS). It’s been known to be active since at least 2017.

It’s also tracked by the cybersecurity community under various names, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix.

Cybersecurity firm Secureworks, in its profile of Cobalt Ulster, notes that it’s not entirely uncommon in the realm of the threat actor to “inject false flags into code associated with their operations” as a distraction in an attempt to muddy attribution efforts.

Attacks mounted by the group have primarily singled out Middle Eastern nations, with intrusions observed over the past year leveraging the Log4Shell flaw to breach Israeli entities.

The latest findings from Microsoft reveal the threat actor probably worked together with DEV-1084 to pull off the espionage attacks, the latter of which conducted the destructive actions after MuddyWater successfully gained a foothold onto the target environment.

“Mercury likely exploited known vulnerabilities in unpatched applications for initial access before handing off access to DEV-1084 to perform extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage,” Microsoft said.

In the activity detected by Redmond, DEV-1084 subsequently abused highly privileged compromised credentials to perform encryption of on-premise devices and large-scale deletion of cloud resources, including server farms, virtual machines, storage accounts, and virtual networks.

Furthermore, the threat actors gained full access to email inboxes through Exchange Web Services, using it to perform “thousands of search activities” and impersonate an unnamed high-ranking employee to send messages to both internal and external recipients.

The aforementioned actions are estimated to have transpired over a roughly three-hour time frame starting at 12:38 a.m. (when the attacker logged into the Microsoft Azure environment via compromised credentials) and ending at 3:21 a.m. (when the attacker sent emails to other parties after the successful cloud disruption).

It’s worth noting here that DEV-1084 refers to the same threat actor that assumed the “DarkBit” persona as part of a ransomware and extortion attack aimed at Technion, a leading research university in Israel, in February. The Israel National Cyber Directorate, last month, attributed the attack to MuddyWater.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter – Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don’t Miss Out – Save Your Seat!

“DEV-1084 […] presented itself as a criminal actor interested in extortion, likely as an attempt to obfuscate Iran’s link to and strategic motivation for the attack,” Microsoft added.

The links between Mercury and DEV-1084 originate from infrastructure, IP address, and tooling overlaps, with the latter observed using a reverse tunneling utility called Ligolo, a staple MuddyWater artifact.

That said, there is not ample evidence to determine if DEV-1084 operates independently of MuddyWater and collaborates with other Iranian actors, or if it’s a sub-team that’s only summoned when there is a need to conduct a destructive attack.

Cisco Talos, early last year, described MuddyWater as a “conglomerate” comprising several smaller clusters rather than a single, cohesive group. The emergence of DEV-1084 suggests a nod in this direction.

“While these teams seem to operate independently, they are all motivated by the same factors that align with Iranian national security objectives, including espionage, intellectual theft, and destructive or disruptive operations based on the victims they target,” Talos noted in March 2022.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

Illuminatehybridity

Next Post

Innovativeness

Related Posts

Information Security

N. Korean Hackers ‘Mixing’ macOS Malware Tactics to Evade Detection

by admin
November 28, 2023
Information Security

Introducing new central configuration capabilities in AWS Security Hub

by admin
November 28, 2023
Information Security

Cybercriminals Using Telekopye Telegram Bot to Craft Phishing Scams on a Grand Scale

by admin
November 27, 2023
Information Security

How to use the BatchGetSecretValue API to improve your client-side applications with AWS Secrets Manager

by admin
November 27, 2023
Information Security

3 Critical Vulnerabilities Expose ownCloud Users to Data Breaches

by admin
November 26, 2023
Next Post

Innovativeness

Recommended

Using AI to Improve ITSM Processes

November 28, 2023

N. Korean Hackers ‘Mixing’ macOS Malware Tactics to Evade Detection

November 28, 2023

Introducing new central configuration capabilities in AWS Security Hub

November 28, 2023

Know these 15 Signs + 15 Tactics to Transform From Floundering to Winning Departments

November 28, 2023

Hong Kong-Pacific Harbor View ~ Future of CIO

November 27, 2023

Cybercriminals Using Telekopye Telegram Bot to Craft Phishing Scams on a Grand Scale

November 27, 2023

© CIO News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

Newsletter Sign Up

No Result
View All Result
  • Home
  • News
  • Operations CIO
  • Visionary CIO
  • IT Management
  • Information Security
  • Contact

© 2022 CIO News Hubb All rights reserved.