Friday, March 29, 2024
HomeSECURITYcybersecurity researchers reveal effective alliance of Iranian attackers

cybersecurity researchers reveal effective alliance of Iranian attackers

-


MuddyWater + DEV-1084: cybersecurity researchers reveal effective alliance of Iranian attackers

The hackers had to band together to make their attacks even more stealthy and destructive.

Specialists Microsoft Threat Intelligence recently seen that the hacker group MuddyWater, commonly associated with the Iranian government, is carrying out devastating attacks on hybrid environments under the guise of ransomware. Moreover, MuddyWater is operating this time not alone, but in partnership with another group that Microsoft specialists track under the name DEV-1084. The researchers argue that the attackers are acting in concert and are targeting both local and cloud infrastructure of various organizations in the Middle East.

“While the attackers tried to disguise this activity as a standard extortion campaign, the investigation showed that the ultimate goal of the operation was the destruction of infrastructure,” the tech giant said in a report.

MuddyWater is the name given to an Iranian cybercriminal group that the US government has repeatedly publicly linked to the Iranian Ministry of Intelligence and Security (MOIS). These hackers are known to have been active since at least 2017.

The group is tracked by the cybersecurity community under various names including: Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix. Secureworks, for example, notes that these attackers often “inject false flags into the code” in an effort to confuse experts investigating their malicious activities.

MuddyWater attacks are mainly aimed at countries in the Middle East. At the same time, the intrusions observed over the past year often exploited the vulnerability Log4Shell to hack Israeli organizations.

Microsoft’s latest data indicates that the attackers likely worked alongside the DEV-1084 group. Reportedly, it was this group that carried out a number of destructive actions in the target environment after the MuddyWater hackers successfully gained a foothold in it. Sometimes it took weeks or even months to quietly move through the target network. Therefore, it can be said without exaggeration that both groups acted very harmoniously and cautiously.

In activity discovered by Redmond, DEV-1084 abused compromised, highly privileged credentials to perform local device encryption and large-scale deletion of cloud resources, including server farms, virtual machines, storage accounts, and virtual networks.

In addition, the attackers gained full access to mailboxes through Exchange Web Services and used them to perform “thousands of searches” and send many messages to both internal and external recipients on behalf of an unnamed high-ranking employee of the target company.

“The DEV-1084 group is a group of criminals interested in extortion only in terms of obfuscating ties with Iran and hiding the strategic motives for the attack,” Microsoft added.

So far, there is insufficient evidence to determine if the DEV-1084 group operates independently of MuddyWater or cooperates with other Iranian threat actors. Or maybe DEV-1084 hackers are generally only approached when it becomes necessary to carry out a destructive type of attack for large-scale destruction of the target infrastructure and important data.


Cisco Talos early last year described MuddyWater as a “conglomerate” consisting of several small clusters, rather than a single cohesive group. The appearance of DEV-1084 suggests a clear movement in this direction.

“While these teams appear to operate independently, they are all guided by the same factors that are consistent with Iran’s national security goals, including espionage, intellectual theft, and a variety of destructive operations,” Talos said in March 2022.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular