ShiftDelete.net
FOLLOW US

MuddyWater’s Destructive Attacks: Iran-Based Hackers Strike!

Iranian nation-state group MuddyWater conducts destructive attacks under the guise of ransomware, targeting hybrid environments with DEV-1084.

MuddyWater’s Destructive Attacks: Iran-Based Hackers Strike!

Iranian nation-state group MuddyWater has been found executing destructive attacks on hybrid environments while pretending to be a ransomware operation. Microsoft Threat Intelligence found the group targeting on-premises and cloud infrastructures, working with the emerging cluster, DEV-1084.

A deceptive collaboration

MuddyWater, linked to Iran’s Ministry of Intelligence and Security (MOIS), has been active since at least 2017. The group is known by various names within the cybersecurity community, such as Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mercury, Seedworm, Static Kitten, TEMP.Zagros, and Yellow Nix. MuddyWater is known for focusing on Middle Eastern nations and has exploited the Log4Shell vulnerability in recent attacks on Israeli entities.

According to Microsoft‘s latest findings, MuddyWater likely joined forces with DEV-1084 to carry out espionage attacks. After MuddyWater successfully infiltrated the target environment, DEV-1084 executed the destructive actions. The collaboration between the two groups involved MuddyWater exploiting known vulnerabilities in unpatched applications for initial access. Afterward, they handed off access to DEV-1084, which conducted extensive reconnaissance, established persistence, and moved laterally throughout the network.

DEV-1084’s destructive actions

DEV-1084 utilized highly privileged compromised credentials to encrypt on-premise devices and delete extensive cloud resources, including server farms, virtual machines, storage accounts, and virtual networks. The threat actors gained full access to email inboxes through Exchange Web Services, carrying out thousands of search activities and impersonating a high-ranking employee to send messages to both internal and external recipients.

The activities took place in a roughly three-hour window. First, the attacker logged into Microsoft Azure using compromised credentials. Later, after successfully disrupting the cloud environment, the attacker sent emails to other parties.

Relationship between MuddyWater and DEV-1084

The connections between MuddyWater and DEV-1084 involve infrastructure, IP address, and tooling overlaps. However, there is not enough evidence to determine their exact relationship. It is unclear if DEV-1084 operates independently, collaborates with other Iranian actors, or acts as a MuddyWater sub-team for destructive attacks. Cisco Talos previously suggested that MuddyWater is a “conglomerate” of smaller clusters, rather than a single cohesive group. The emergence of DEV-1084 supports this idea.

Iranian Hacker Group
Israeli Target
MuddyWater

SDN Comments 0 Comments

Comment

HOW TOAll

Related News

Apple launches Rocket: iPhone 16 Pro and A18 Pro Showcased!
Apple launches Rocket: iPhone 16 Pro and A18 Pro Showcased!
Facebook Messenger chats are getting more fun!
Facebook Messenger chats are getting more fun!
snapdragon 8 gen 4
Qualcomm develops a new Snapdragon X for budget laptops
X (Twitter) killer Bluesky is booming in the number of users!
X (Twitter) killer Bluesky is booming in the number of users!

SDN Network

Sihirli Elma Yeşil Robot Tech Inside Pembe Teknoloji Future Flow Life

SDN.net

1250 BORREGAS AVENUE, #40, SUNNYVALE, CA
94089 ShiftDelete.Net LLC

info@shiftdelete.net

Shiftdelete.Net is a member of the Association of Internet Media and IT Reporters.

Desteklio