Cybersecurity agencies in the US and UK have issued a joint cybersecurity advisory (CSA)on MuddyWater, a government-sponsored Iranian advanced persistent threat (APT) actor. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the US Cyber Command Cyber National Mission Force (CNMF), and the National Security Agency (NSA), together with the UK’s National Cyber Security Centre (NCSC), have detailed operations by this APT against a range of governments and private organizations around the world.
MuddyWater, also known as Earth Vetala, MERCURY, Seedworm, Static Kitten, and TEMP.Zargos, has its eyes set on the telecommunications, defense, local government, and oil and natural gas sectors—among others—in Africa, Asia, Europe, and North America.
“MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS),” the advisory briefs its readers. “This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.”
“MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware—and obfuscating PowerShell scripts to hide command and control (C2) functions.”
The advisory lastly reminds readers to take mitigating steps to protect themselves from malicious MuddyWater campaigns. Ensure that software is patched, prioritizing applications and operating systems with known, exploitable vulnerabilities. Back it up with an effective antivirus solution, EDR and SIEM. Use multifactor authentication (MFA)wherever you can. Limit access to resources according to the principle of least privilege.
Lastly, ensure that emplyees are trained to be alert for suspicious emails or social media posts—they could be the start of a phishing attack.