MuddyWater
Country: Islamic Republic of Iran Organization: Ministry of Intelligence and Security (MOIS) Objective: Espionage (Page last updated December 05, 2024)
Aliases:
- ATK 51 (Thales)
- Cobalt Ulster (SecureWorks)
- Boggy Serpens (Unit 42)
- Earth Vetala (Trend Micro)
- ENT-11 (NTT Security)
- ITG17 (IBM)
- Mango Sandstorm (Microsoft)
- MERCURY (formerly used by Microsoft)
- MuddyWater (CERTFA, Check Point, Cisco Talos Intelligence, Clearsky, Deep Instinct, ESET Research, Group-IB, MITRE, Kaspersky, Trellix, Unit 42)
- Seedworm (Symantec)
- Static Kitten (CrowdStrike)
- T-APT-14 (Tencent)
- TA450 (Proofpoint)
- TEMP.Zagros (FireEye)
- Yellow Nix (PWC)
Vulnerabilities Exploited
- CVE-2023-27350 (CVSSv3: 9.8 critical) PaperCut MF/NG Improper Access Control Vulnerability. Source: Microsoft
- CVE-2021-45046 (CVSSv3: 9.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (also related to Log4Shell). Source: Microsoft
- CVE-2021-44228 (CVSSv3: 10.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell). Source: Microsoft
- CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: CISA, SentinelOne
- CVE-2020-1472 (CVSSv3: 10.0 critical) Netlogon Elevation of Privilege Vulnerability (aka ZeroLogon). Source: Clearsky, CISA
- CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: Clearsky
- CVE-2017-0199 (CVSSv3: 7.8 high) Microsoft Office/WordPad Remote Code Execution Vulnerability. Source: Clearsky, CISA
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
- November 20, 2024 β Sophos: Sophos MDR blocks and tracks activity from probable Iranian state actor βMuddyWaterβ
- October 30, 2024 β Cisco Talos: Writing a BugSleep C2 server and detecting its traffic with Snort (malware analysis)
- October 22, 2024 β k3yp0d: Something phishy is happening in Armenia (independent researcher)
- July 15, 2024 β Sekoia: MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign
- July 15, 2024 β Check Point Research: New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns
- May 14, 2024 β ESET Research: ESET APT Activity Report Q4 2023βQ1 2024
- April 24, 2024 β Broadcom: Seedworm exploits Atera Agent in a spear-phishing Campaign
- 22 April 2024 β HarfangLab: Increased activity from Iran sponsored APT MuddyWater, targeting Middle East, African & European organisations.
- April 08, 2024: Unit 42: Boggy Serpens (MuddyWater) Use of AutodialDLL
- April 07, 2024 β Broadcom: Seedworm distributing remote administration management software agents
- March 29, 2024 β Malwation: New MuddyWater Campaigns After Operation Swords of Iron
- March 21, 2024 β Proofpoint: Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign
- March 07, 2024 β Israel National Cyber Directorate: An active phishing campaign in Israeli territory β the Iranian attack group MuddyWater (Hebrew language)
2023
- December 19, 2023 β Symantec: Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa
- November 08, 2023 β Deep Instinct: MuddyC2Go β Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel
- November 01, 2023 β Deep Instinct: MuddyWater eN-Able spear-phishing with new TTPs
- June 29, 2023 β Deep Instinct: PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater
- May 5, 2023 β Microsoft: Twitter: βMicrosoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350.β
- May 02 2023 β ESET Research: APT groups muddying the waters for MSPs
- April 18, 2023 β Group-IB: SimpleHarm: Tracking MuddyWaterβs infrastructure
- April 07, 2023 β Microsoft: MERCURY and DEV-1084: Destructive attack on hybrid environment
2022
- December 08, 2022 β Deep Instinct: New MuddyWater Threat: Old Kitten; New Tricks
- September 09, 2022 β U.S. Treasury: Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities
- August 25, 2022 β Microsoft: MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
- June 21, 2022 β Lab52: MuddyWaterβs βlightβ first-stager targeting Middle East
- May 11, 2022 β NTT Security: Analysis of an Iranian APTs βE400β PowGoop variant reveals dozens of control servers dating back to 2020
- March 14, 2022 β EclecticIQ: MuddyWater APT attributed to Iranian Ministry of Intelligence and Security, and the Increasing Global Ransomware Threat
- March 10, 2022 β Cisco Talos: Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
- February 24, 2022 β CISA: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
- February 24, 2022 β NCSC-UK: Malware Analysis Report: Small Sieve (PDF)
- January 31, 2022 β Cisco Talos: Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables
- January 13, 2022 β Picus: TTPs and IOCs Used by MuddyWater APT Group in Latest Attack Campaign
- January 12, 2022 β USCYBERCOM: Iranian intel cyber suite of malware uses open source tools (ATTRIBUTION)
- January 12, 2022 β SentinelOne: Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor
2021
- December 14, 2021 β Symantec: Espionage Campaign Targets Telecoms Organizations across Middle East and Asia
- March 05, 2021 β Trend Micro: Earth Vetala β MuddyWater Continues to Target Organizations in the Middle East
- February 10, 2021 β Anomali: Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies
2020
- October 21, 2020 β Symantec: Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East
- October 15, 2020 β Clearsky: Operation Quicksand
- February 26, 2020 β Secureworks: Business as Usual for Iranian Operations Despite Increased Tensions
2019
- June 09, 2019 β Trend Micro: New MuddyWater Activities Uncovered (PDF)
- June 06, 2019 β Clearsky: Iranian APT group βMuddyWaterβ Adds Exploits to Their Arsenal
- May 29, 2019 β Group-IB: Catching fish in muddy waters
- May 20, 109 β Cisco Talos: Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques
- April 29, 2019 β Kaspersky: I know what you did last summer, MuddyWater blending in the crowd
- April 15, 2019 β Clearsky: Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey
- April 10, 2019 β Check Point: The Muddy Waters of APT Attacks
- March 07, 2019 β NSHC: SectorD02 PowerShell Backdoor Analysis
2018
- December 10, 2018 β Symantec: Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
- November 30, 2018 β Trend Micro: New PowerShell-based Backdoor, MuddyWater Similarities
- November 28, 2018 β Clearsky: MuddyWater Operations in Lebanon and Oman
- October 10, 2018 β Kaspersky: MuddyWater expands operations
- June 14, 2018 β Trend Micro: Potential MuddyWater Campaign uses PRB-Backdoor
- March 13, 2018 β FireEye: Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
- March 12, 2018 β Trend Micro: Potential MuddyWater Campaign Seen in the Middle East
- March 10, 2018 β Security 0wnage: A Quick Dip into MuddyWater's Recent Activity
- February 01, 2018 β Security 0wnage: Burping on MuddyWater
2017
- November 14, 2017 β Unit 42: Muddying the Water: Targeted Attacks in the Middle East
- October 04, 2017 β Security 0wnage: Continued Activity targeting the Middle East