Hackers linked to the Iranian Ministry of Intelligence and Security are exploiting a range of vulnerabilities to conduct cyber espionage and other malicious attacks against organisations around the world, a joint alert by US and UK authorities has warned.
The advisory by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC) says an Iranian government-sponsored advanced hacking operation known as MuddyWater is going after a wide range of targets.
These include telecommunications, defence, local government, and oil and natural gas organisations across Asia, Africa, Europe, and North America. According to CISA, the aim of the attacks is to gain access to networks to steal passwords and sensitive information “to share these with other malicious cyber actors”.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
The group are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware, the agencies said. MuddyWater – also known as Earth Vetala, Mercury, Static Kitten and Seedworm – has been active since at least 2018.
Many of the campaigns leverage phishing attacks to coax targets into downloading ZIP files containing Excel files with malicious macros or PDFs that drop malicious payloads.
MuddyWater campaigns deploy many different forms of malware to act as loaders and backdoors onto compromised networks. The main loader is a new variant of PowGoop malware, which consists of a DLL loader and a PowerShell-based downloader. The malicious file impersonates a legitimate file that is signed as a Google Update executable file.
Another form of malware used in the attacks is Small Sieve, a Python backdoor that disguises malicious executables and uses filenames and registry key names associated with Microsoft’s Windows Defender to avoid detection while it helps to expand a foothold in the compromised network.
Other malware used in the Iranian campaigns include Canopy, a malicious Windows script distributed by phishing emails, and Mori, a backdoor that uses Domain Name System tunneling to communicate with the group’s control infrastructure.
The agencies have also identified a new PowerShell backdoor described as lightweight in functionality but capable of encrypting communications with command and control servers.
The Iranian hackers use a variety of known vulnerabilities, which CISA has detailed in an alert. Therefore, organisations can help protect their networks from being compromised by installing security updates for operating systems, software and firmware as soon as they’re released. Of course, using antivirus and keeping it up to date is also suggested.
CISA also recommends the use of multi-factor authentication whenever possible and limiting the use of administrator privileges for most users – both actions create additional barriers for attackers.
It’s also recommended that organisations deploy application control software to limit the applications and executable code that can be run by users. Finally, users should be trained to identify and report suspected phishing attacks.