☠️ Evasive #APTs can be hard to identify
TI Lookup solves this with critical context for attack indicators and intel to help prevent future attacks

See how with #APT41 & #MuddyWater examples ⬇️
https://any.run/cybersecurity-blog/track-advanced-persistent-threats/?utm_source=mastodon&utm_medium=post&utm_campaign=track_apt&utm_content=linktoblog&utm_term=120225

#cybersecurity #infosec

Iranian MuddyWater Upgrades Arsenal With New Custom Backdoor - https://www.redpacketsecurity.com/iranian-muddywater-upgrades-arsenal-with-new-custom-backdoor/

#threatintel #muddywater #iranian_threat #cyber_attack

Our colleagues at Check Point Research have also published a report on this new #MuddyWater implant and related campaigns.

https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/

🇮🇷 #MuddyWater replaces Atera by custom #MuddyRot implant in a recent campaign

https://blog.sekoia.io/muddywater-replaces-atera-by-custom-muddyrot-implant-in-a-recent-campaign/

New BugSleep malware implant deployed in MuddyWater attacks
#BACKDOOR #Malware #BUGSLEEP #MUDDYWATER https://www.bleepingcomputer.com/news/security/new-bugsleep-malware-implant-deployed-in-muddywater-attacks/

MuddyWater campaign abusing Atera Agents
#MuddyWater
https://harfanglab.io/en/insidethelab/muddywater-rmm-campaign/

DarkBeatC2: The Latest MuddyWater Attack Framework
#MuddyWater #DarkBeatC2
https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework

Deep Instinct reports on the latest activity from Iranian state-sponsored APT MuddyWater, including the latest attack framework "DarkBeatC2." It's a comprehensive look at Iranian attacks on Israel and the recent supply-chain attack targeting IT provider Rashim which led to access to other organizations through VPN. IOC are provided. 🔗 https://www.deepinstinct.com/blog/darkbeatc2-the-latest-muddywater-attack-framework

#Iran #Cyberespionage #MuddyWater #LordNemesis #threatintel #IOC

Malwation reports new attacks against Israel, Africa, and Turkiye by the Iranian state-sponsored APT MuddyWater. This includes the use of Atera and ConnectWise ScreenConnect remote administration management (RMM) software. Malwation describes attack chain and provides IOC. 🔗 https://www.malwation.com/blog/new-muddywater-campaigns-after-operation-swords-of-iron

#MuddyWater #Iran #cyberespionage #threatintel #IOC

Happy Tuesday everyone!

Proofpoint researches observed activity from TA450 (AKA #MuddyWater) that involved social engineering and targeted Israeli employees. The researches noticed a change in the adversaries #TTPs, moving from using a PDF with malicious attachments to putting the malicious link in the email body.

Taking this information into account, how can we hunt for this? Well, we can always look for Microsoft Office programs executing strange behavior such as spawning abnormal processes (especially the abuse of [LOLBINS]) or making network connections. Or, as a wise old man said back in 1986 "It's dangerous to go alone! Take this."

Potential Maldoc Execution Chain Observed
https://hunter.cyborgsecurity.io/research/hunt-package/b194088b-c846-4c72-a4b7-933627878db4

This hunt package has been designed to detect the aftermath of a successfully delivered and executed maldoc (Microsoft Office). Enjoy and Happy Hunting!

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #gethunting

Iran-aligned threat actor #TA450 (AKA #MuddyWater #MangoSandstorm #StaticKitten) has employed new tactics. For the first time, Proofpoint researchers have observed TA450 attempt to use a malicious URL in a PDF attachment rather than directly linking the file in an email.

Security Brief: https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign

In the March 7-11,2024 phishing campaign tracked by Proofpoint, TA450 sent Hebrew language lures with PDF attachments that contained malicious links.

Targets included Israeli individuals at global manufacturing, technology, and information security companies.

Proofpoint researchers observed the same targets receive multiple phishing emails with PDF attachments that had slightly different embedded links, which led to a variety of file sharing sites. If opened and clicked, a ZIP file containing AteraAgent would be downloaded and ultimately installed.

This activity marks a turn in TA450’s tactics:

➡️ The group is attempting to deliver a malicious URL in a PDF attachment

➡️ This campaign is the first time Proofpoint has observed TA450 using a sender email account that matches the lure content

➡️ This activity continues TA450's trend of leveraging Hebrew language lures and compromised

See our security brief for ET signatures and IOCs.

Proofpoint reported on a new MuddyWater campaign which uses a pay-related social engineering lure to target Israeli employees at large multinational organizations since 07 March 2024. MuddyWater is publicly attributed to Iran’s Ministry of Intelligence and Security (MOIS). IOC provided. 🔗 https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign

cc: @selenalarson

#MuddyWater #cyberespionage #Iran #APT #Israel #threatintel #IOC

Nick Cave & The Bad Seeds - Muddy Water

#NickCaveandtheBadSeeds #kickingagainstthepricks #muddywater #song #punk #postpunk #rocknroll #nowlistening #nowplaying

https://youtu.be/rMeZ45sU4sI?si=C1YMsM9w2lC6GEid

I want to eat him

#Seungmin doing #Han's part in the #MuddyWater team switch

:youtube: https://youtube.com/clip/UgkxvPYou58R0QEWtGlONun4XHQmDcuXUDpQ

#skz #skzPILOT

Nature serves as a model for a bigger picture.
#smallpoems #clmooc #poetry24 #winterpuddles #puddles #rivers #wetlands #winter #muddywater

http://sheri42.net/2024/01/24/warm-the-air/

In the most recent intrusions in November 2023, the group utilized SimpleHelp and Venom Proxy, in addition to a custom keylogger and other publicly available tools.

#Cybersecurity #Africa #IranianGroup #Malware #Iran #MuddyWater #MuddyC2Go

https://cybersec84.wordpress.com/2023/12/20/iranian-hackers-leverage-muddyc2go-to-conduct-widespread-telecom-spying-in-africa/

#MuddyWater has been spotted targeting two Israeli entities
https://securityaffairs.com/153475/apt/muddywater-targets-israeli-entities.html
#securityaffairs #hacking #malware

MuddyWater is a state-sponsored group engaged in cyber espionage, operating as a subordinate element within Iran’s Ministry of Intelligence and Security (MOIS).

#Iran #Cybersecurity #Israel #Phishing #IranianGroup #Cyberattack #MuddyWater

https://cybersec84.wordpress.com/2023/11/02/iranian-muddywater-spear-phishing-campaign-targets-israel-new-attack-details/

CTI industry leaders recently highlighted (smartly) several regional actors that might be less familiar to teams previously focused more on Russia or China APTs, ransomware, or other threats more often in headlines

The top web search results for these threats return sets of TTPs that are typically several years old. We dumped a large volume of more recent TTP #intelligence into our Community knowledge base to help fill some of these gaps, as many defenders are likely researching these threats

Intel from the highest confidence sources like government advisories appear as richer Group/Software/Campaign “objects” like you’d find on the MITRE ATT&CK® site. #TTP collections from other sources usually appear as lighter-weight Technique Sets

All content points back to the original public reporting. Thanks to the many teams sharing this important intel, including CISA & many partner agencies and the threat research teams at Cybereason, Deep Instinct, ESET, Fortinet, Kaspersky, PwC, & Zscaler

Further research prioritization can be approached several ways. Some views to consider:

Collection of all new & recently updated Groups & Software: https://app.tidalcyber.com/share/f1b8215c-f0c6-4e22-b314-417ca3f0d23e

Collection of key U.S. advisories focused on Iran-aligned actors: https://app.tidalcyber.com/share/72973762-be35-4286-83c4-6ea19f123616

Very recent reporting on Yellow Liderc/Imperial Kitten: https://app.tidalcyber.com/share/techniqueset/ab4eda0f-4502-484a-99f2-fe807357c204

New PhonyC2 framework used by #MuddyWater, a prominent #espionage #APT: https://app.tidalcyber.com/share/9f562a29-ff95-4ff4-ab3b-1fe9e2be8530

All Iran-attributed Groups & Campaigns in our knowledge base, featuring multiple new objects: https://app.tidalcyber.com/share/9a532bdf-fedb-4ee1-9714-b5ea8d2e80ac

#LOLBIN & open-source tools newly associated with Volatile Cedar (Lebanon): https://app.tidalcyber.com/groups/7c3ef21c-0e1c-43d5-afb0-3a07c5a66937-Volatile%20Cedar

Molerats additional TTPs beyond ATT&CK: https://app.tidalcyber.com/share/techniqueset/0e494374-9311-485e-b21b-0d082a316054

AridViper TTPs: https://app.tidalcyber.com/share/techniqueset/a655ea23-ff7e-4957-873b-3217d361f98c

Filter all Groups in our knowledge base by Country, Sector, & Motivation: https://app.tidalcyber.com/groups

Originally posted by The Hacker News / @TheHackersNews: http://nitter.platypush.tech/TheHackersNews/status/1644601176569069575#m

R to @TheHackersNews: The latest findings reveal #MuddyWater probably worked with DEV-1084, which carried out the destructive actions after MuddyWater gained a foothold.

They abused privileged credentials, encrypted on-premise devices, and deleted cloud resources.