{"id":18372,"date":"2022-02-25T11:10:11","date_gmt":"2022-02-25T19:10:11","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/02\/25\/news-12105\/"},"modified":"2022-02-25T11:10:11","modified_gmt":"2022-02-25T19:10:11","slug":"news-12105","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/02\/25\/news-12105\/","title":{"rendered":"CISA warns of cyberespionage by Iranian APT &#8220;MuddyWater&#8221;"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Fri, 25 Feb 2022 18:54:27 +0000<\/strong><\/p>\n<p>Cybersecurity agencies in the US and UK have issued a joint <a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-055a\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">cybersecurity advisory (CSA)<\/a> on MuddyWater, a government-sponsored Iranian advanced persistent threat (APT) actor. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the US Cyber Command Cyber National Mission Force (CNMF), and the National Security Agency (NSA), together with the UK&#8217;s National Cyber Security Centre (NCSC), have detailed operations by this APT against a range of governments and private organizations around the world.<\/p>\n<p>MuddyWater, also known as Earth Vetala, MERCURY, Seedworm, Static Kitten, and TEMP.Zargos, has its eyes set on the telecommunications, defense, local government, and oil and natural gas sectors\u2014among others\u2014in Africa, Asia, Europe, and North America.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Even as we remain laser-focused on Russian malicious cyber activity, we cannot fail to see around the corners. Our latest advisory provides details on Iranian government-sponsored APT actors known as MuddyWater: <a href=\"https:\/\/t.co\/sgWJ8jRbTZ\">https:\/\/t.co\/sgWJ8jRbTZ<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/ShieldsUp?src=hash&amp;ref_src=twsrc%5Etfw\">#ShieldsUp<\/a> <a href=\"https:\/\/t.co\/TwjTvkxWlE\">pic.twitter.com\/TwjTvkxWlE<\/a><\/p>\n<p>&mdash; Jen Easterly (@CISAJen) <a href=\"https:\/\/twitter.com\/CISAJen\/status\/1496894349803769860?ref_src=twsrc%5Etfw\">February 24, 2022<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script> <\/div>\n<\/figure>\n<p>&#8220;MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS),\u201d the advisory briefs its readers. \u201cThis APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors.&#8221;<\/p>\n<p>&#8220;MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims\u2019 systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)\u2014to trick legitimate programs into running malware\u2014and obfuscating PowerShell scripts to hide command and control (C2) functions.&#8221;<\/p>\n<p>The full advisory can be read in <u><a href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa22-055a\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">this CISA web page<\/a><\/u>. It can also be downloaded as a <u><a href=\"https:\/\/www.ic3.gov\/Media\/News\/2022\/220224.pdf\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">PDF file<\/a><\/u>.<\/p>\n<p>The advisory lastly reminds readers to take mitigating steps to protect themselves from malicious MuddyWater campaigns. Ensure that software is patched, prioritizing applications and operating systems with <u><a href=\"https:\/\/www.cisa.gov\/known-exploited-vulnerabilities-catalog\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">known, exploitable vulnerabilities<\/a><\/u>. Back it up with <a href=\"https:\/\/www.malwarebytes.com\/pricing\" target=\"_blank\" rel=\"noreferrer noopener\">an effective antivirus solution<\/a>, EDR and SIEM. Use <u><a href=\"https:\/\/blog.malwarebytes.com\/glossary\/multi-factor-authentication-mfa\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">multifactor authentication (MFA)<\/a><\/u>\u00a0wherever you can. Limit access to resources according to the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Principle_of_least_privilege\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">principle of least privilege<\/a>.<\/p>\n<p>Lastly, ensure that emplyees are trained to be alert for suspicious emails or social media posts\u2014they could be the start of a phishing attack.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/awareness\/2022\/02\/cisa-warns-of-cyberespionage-by-iranian-apt-muddywater\/\">CISA warns of cyberespionage by Iranian APT &#8220;MuddyWater&#8221;<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/awareness\/2022\/02\/cisa-warns-of-cyberespionage-by-iranian-apt-muddywater\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Fri, 25 Feb 2022 18:54:27 +0000<\/strong><\/p>\n<p>Cybersecurity agencies in the US and UK have issued a joint cybersecurity advisory (CSA) on MuddyWater, an Iranian APT.<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/awareness\/2022\/02\/cisa-warns-of-cyberespionage-by-iranian-apt-muddywater\/\">CISA warns of cyberespionage by Iranian APT &#8220;MuddyWater&#8221;<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11029,15496,23583,25132,25133,25134,6627,25135,25136,10600,25137,23135,10626,3924,25138,25139,25140],"class_list":["post-18372","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-apt","tag-awareness","tag-cisa","tag-csa","tag-cybersecurity-advisory","tag-earth-vetala","tag-fbi","tag-iranian-apt","tag-mercury","tag-mfa","tag-muddywater","tag-ncsc","tag-nsa","tag-phishing","tag-seedworm","tag-static-kitten","tag-temp-zargos"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18372"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18372\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18372"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}