Iran-Linked MuddyWater Deploys Atera for Surveillance in Phishing Attacks

By The Hacker News

Key Points

  • MuddyWater Phishing: MuddyWater used seemingly harmless PDF attachments containing malicious links. Clicking these links downloaded an installer for the real Atera Agent (RMM software), granting them unauthorized access to compromised systems.
  • Shift in Tactics: This campaign represents a shift for MuddyWater, who previously relied on directly embedded malicious links. This new tactic increases deception and potentially widens their attack reach.
  • MuddyWater Targets: This is not the first time MuddyWater has targeted organizations. Since October 2023, they’ve used other legitimate remote access tools for infiltration attempts.
  • Supply Chain Attack: Another Iranian group, Lord Nemesis, compromised a software provider in a supply chain attack, potentially impacting their clients.
  • Dangers of Supply Chain Attacks: This attack highlights the growing risk of supply chain attacks, where compromising a trusted vendor grants access to a wider network of targets. This emphasizes the importance of thorough vendor vetting and strong MFA for businesses.

The Iran-affiliated threat actor tracked as MuddyWater (aka Mango Sandstorm or TA450) has been linked to a new phishing campaign in March 2024 that aims to deliver a legitimate Remote Monitoring and Management (RMM) solution called Atera.

The activity, which took place from March 7 through the week of March 11, targeted Israeli entities spanning global manufacturing, technology, and information security sectors, Proofpoint said.

"TA450 sent emails with PDF attachments that contained malicious links," the enterprise security firm said. "While this method is not foreign to TA450, the threat actor has more recently relied on including malicious links directly in email message bodies instead of adding in this extra step."

MuddyWater has been attributed to attacks directed against Israeli organizations since late October 2023, with prior findings from Deep Instinct uncovering the threat actor's use of another remote administration tool from N-able.

This is not the first time the adversary – assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS) – has come under the spotlight for its reliance on legitimate remote desktop software to meet its strategic goals. It has also been observed utilizing ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.

The latest attack chains involve MuddyWater embedding links to files hosted on file-sharing sites such as Egnyte, Onehub, Sync, and TeraBox. Some of the pay-themed phishing messages are said to have been sent from a likely compromised email account associated with the "co.il" (Israel) domain.

In the next stage, clicking on the link present within the PDF lure document leads to the retrieval of a ZIP archive containing an MSI installer file that ultimately installs the Atera Agent on the compromised system. MuddyWater's use of Atera Agent dates back to July 2022.

The shift in MuddyWater's tactics comes as an Iranian hacktivist group dubbed Lord Nemesis has targeted the Israeli academic sector by breaching a software services provider named Rashim Software in what's case of a software supply chain attack.

"Lord Nemesis allegedly used the credentials obtained from the Rashim breach to infiltrate several of the company's clients, including numerous academic institutes," Op Innovate said. "The group claims to have obtained sensitive information during the breach, which they may use for further attacks or to exert pressure on the affected organizations."

Lord Nemesis is believed to have used the unauthorized access it gained to Rashim's infrastructure by hijacking the admin account and leveraging the company's inadequate multi-factor authentication (MFA) protections to harvest personal data of interest.

It also sent email messages to over 200 of its customers on March 4, 2024, four months after the initial breach took place, detailing the extent of the incident. The exact method by which the threat actor gained access to Rashim's systems was not disclosed.

"The incident highlights the significant risks posed by third-party vendors and partners (supply chain attack)," security researcher Roy Golombick said. "This attack highlights the growing threat of nation-state actors targeting smaller, resource-limited companies as a means to further their geo-political agendas."

"By successfully compromising Rashim's admin account, the Lord Nemesis group effectively circumvented the security measures put in place by numerous organizations, granting themselves elevated privileges and unrestricted access to sensitive systems and data."



Comments

Post a Comment

Popular posts from this blog

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

Image
By Bill Toulas,  Bleeping Computer Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named 'Tycoon 2FA' to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. Tycoon 2FA was discovered by Sekoia analysts in October 2023 during routine threat hunting, but it has been active since at least August 2023, when the Saad Tycoon group offered it through private Telegram channels. The PhaaS kit shares similarities with other adversary-in-the-middle (AitM) platforms, such as Dadsec OTT, suggesting possible code reuse or a collaboration between developers. In 2024, Tycoon 2FA released a new version that is stealthier, indicating a continuous effort to improve the kit. Currently, the service leverages 1,100 domains and has been observed in thousands of phishing attacks.
Read more

Ransomware gang starts leaking alleged stolen Change Healthcare data

Image
By Lawrence Abrams,  Bleeping Computer The RansomHub extortion gang has begun leaking what they claim is corporate and patient data stolen from United Health subsidiary Change Healthcare in what has been a long and convoluted extortion process for the company. In February, Change Healthcare suffered a cyberattack that caused massive disruption to the US healthcare system , preventing pharmacies and doctors from billing or sending claims to insurance companies. The attack was ultimately linked to the BlackCat / ALPHV ransomware operation, who later said they stole 6 TB of data during the attack . After facing increased pressure from law enforcement, the BlackCat gang shut down their operation . This occurred amid claims they were pulling an exit scam by stealing a $22 million Change Healthcare ransom payment from the affiliate who conducted the attack. While Change Healthcare has declined to comment on whether it has paid a ransom, the affiliate known as "Notchy" said they
Read more

Why remote desktop tools are facing an onslaught of cyber threats

Image
By Solomon Klappholz, IT Pro Hackers are increasingly targeting remote desktop tools in their attacks, new research reveals, prompting warnings for enterprises globally In the era of hybrid work, remote desktop tools have become vital business enablers, but due to their pervasiveness on corporate networks they have become a popular entry point for cyber criminals. If successfully exploited, remote access tools can provide hackers with a direct pathway into a system or network, and once access is gained attackers can move laterally within the network, escalating privileges and maintaining persistence. In an investigation into which remote desktop tools are targeted the most, Jonathan Tanner, senior security researcher at Barracuda Networks, explained that remote desktop software poses a particular challenge to IT teams to secure. “Among the security challenges facing IT teams implementing remote desktop software is that there are many different tools available, each using different and
Read more