The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSCUK) have called out the MuddyWater threat actors and their involvement in cyber espionage and malicious cyber operations. MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. Activity from the MuddyWater group was previously linked to FIN7, but the group is believed to be a distinct group, possibly motivated by espionage. Per MITRE ATT&CK, MuddyWater is also known to cyber defenders as Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros. The MuddyWater victims are mainly in the telecommunications, government (IT services), and oil sectors. These malicious activities are happening worldwide and have been observed and documented in Asia, Africa, Europe, and North America.
In the past, MuddyWater relied heavily on spear phishing. Spear phishing uses email communications which are designed to penetrate and compromise the resources of the targeted individual, business, or government agency. The MuddyWater threat actors would send a carefully targeted email to the target organization. Once the target organization’s networks have been successfully penetrated, then MuddyWater moves to steal legitimate documents from the compromised systems. These legitimate documents are, in turn, weaponized and then used to continue further distribution to other victims to produce a cascade of information compromise.
MuddyWater creates socially engineered malicious documents which frequently deliver their “POWERSTATS” as a first stage backdoor. The POWERSTATS backdoor can receive commands from the attackers and then enable a wide variety of malicious activities. MuddyWater has evolved this attack over the years and moved to also deliver second stage executables which are not written in PowerShell.
MuddyWater threat actors maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs) which can to trick legitimate programs into running malware, and obfuscating PowerShell scripts to hide command and control (C2) functions.
The government agencies behind the Joint Cybersecurity Advisory have all observed MuddyWater threat actors using various malware variants of PowGoop, Small Sieve, Canopy (also known as Starwhale), Mori, and POWERSTATS as mentioned earlier, along with other tools to support their malicious criminal activity.
This important Joint Cybersecurity Advisory provides observed tactics, techniques, and procedures (TTPs); malware; and indicators of compromise (IOCs) associated with this Iranian government-sponsored APT activity to aid organizations in the identification of malicious activity against sensitive networks. MITRE ATT&CK references are used to help disambiguate the TTPs.
The Joint Cybersecurity Advisory recommends mitigations to include:
- Protective Controls and Architecture. Deploy application control software to limit the applications and executable code that can be run by users. Email attachments and files downloaded via links in emails often contain executable code.
- Identity and Access Management. Use multifactor authentication where possible, particularly for webmail, virtual private networks, and accounts that access critical systems. Limit the use of administrator privileges. Users who browse the internet, use email, and execute code with administrator privileges make for excellent spear phishing targets because their system—once infected—enables attackers to move laterally across the network, gain additional privileges, and access highly sensitive information.
- Phishing Protection. Enable antivirus and anti-malware software and update signature definitions in a timely manner. Well-maintained antivirus software may prevent use of commonly deployed attacker tools that are delivered via spear phishing. Be suspicious of unsolicited contact via email or social media from any individual you do not know personally. Do not click on hyperlinks or open attachments in these communications. Consider adding an email banner to emails received from outside your organization and disabling hyperlinks in received emails. Train users through awareness and simulations to recognize and report phishing and social engineering attempts. Identify and suspend access of user accounts exhibiting unusual activity. Adopt threat reputation services at the network device, operating system, application, and email service levels. Reputation services can be used to detect or prevent low-reputation email addresses, files, URLs, and IP addresses used in spear phishing attacks.
- Vulnerability and Configuration Mgmt. Install updates/patch operating systems, software, and firmware as soon as updates/patches are released. Prioritize patching known exploited vulnerabilities.
DNS Security is Mainstream – don’t be a Late Adopter!
Using a DNS security solution like Infoblox’s BloxOne® Threat Defense as part of defense in depth to mitigate threats, including Phishing attacks, is highly recommended. Coupled with Microsoft’s recommendations for multifactor authentication, the audit of delegated admin privileges, and more, BloxOne Threat Defense would enhance a strong ecosystem for hardened defense against sophisticated threats.
DNS security is designed to prevent users’ connection to malicious destinations, and to detect anomalous behaviors in the network such as C&C communications, phishing, advanced persistent threat activity, domain generation algorithm (DGA) activity, botnet communications, DNS tunneling, and data exfiltration. BloxOne Threat Defense combines advanced analytics based on machine learning, highly accurate and aggregated threat intelligence and automation to detect and prevent a broad range of threats, including DGA families, data exfiltration, look-alike domain use and many others.
In addition, Infoblox DNS security integrates with Security Orchestration Automation and Remediation (SOAR) systems, ITSM solutions, vulnerability scanners and other security ecosystem tools to trigger remediation actions automatically when any malicious activity is detected. This helps speed up an organization’s response to security events and provides rapid threat containment.
Analyzing DNS logs is a highly effective way to see what resources a client has been accessing historically. DHCP fingerprint and IPAM metadata provide contextual information on compromised devices such as type of device, OS information, network location and current and historical IP address allocations. All this information helps with event correlation and understanding the scope of a breach.
To find out more about our programs and products please reach out to us via https://info.infoblox.com/contact-sales.html.
|Shields Up | CISA
Every organization in the United States is at risk from cyber threats that can disrupt essential services and potentially result in impacts to public safety. Over the past year, cyber incidents have impacted many companies, non-profits, and other organizations, large and small, across multiple sectors of the economy.