MuddyWater
Country: Islamic Republic of Iran Organization: Ministry of Intelligence and Security (MOIS) Objective: Espionage (Page last updated October 26, 2024)
Aliases:
- MuddyWater (CERTFA, Check Point, Cisco Talos Intelligence, Clearsky, Deep Instinct, ESET Research, Group-IB, MITRE, Kaspersky, Trellix, Unit 42)
- Seedworm (Symantec)
- TEMP.Zagros (FireEye)
- Static Kitten (CrowdStrike)
- MERCURY (formerly used by Microsoft)
- Mango Sandstorm (Microsoft)
- Boggy Serpens (Unit 42)
- ENT-11 (NTT Security)
- TA450 (Proofpoint)
- Cobalt Ulster (SecureWorks)
- ATK 51 (Thales)
- T-APT-14 (Tencent)
- ITG17 (IBM)
- Yellow Nix (PWC)
- Earth Vetala (Trend Micro)
Vulnerabilities Exploited
- CVE-2023-27350 (CVSSv3: 9.8 critical) PaperCut MF/NG Improper Access Control Vulnerability. Source: Microsoft
- CVE-2021-45046 (CVSSv3: 9.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (also related to Log4Shell). Source: Microsoft
- CVE-2021-44228 (CVSSv3: 10.0 critical) Apache Log4j2 Remote Code Execution Vulnerability (aka Log4Shell). Source: Microsoft
- CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: CISA, SentinelOne
- CVE-2020-1472 (CVSSv3: 10.0 critical) Netlogon Elevation of Privilege Vulnerability (aka ZeroLogon). Source: Clearsky, CISA
- CVE-2020-0688 (CVSSv3: 8.8 high) Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Source: Clearsky
- CVE-2017-0199 (CVSSv3: 7.8 high) Microsoft Office/WordPad Remote Code Execution Vulnerability. Source: Clearsky, CISA
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
- October 22, 2024 – k3yp0d: Something phishy is happening in Armenia (independent researcher)
- July 15, 2024 – Sekoia: MuddyWater replaces Atera by custom MuddyRot implant in a recent campaign
- July 15, 2024 – Check Point Research: New BugSleep Backdoor Deployed in Recent MuddyWater Campaigns
- May 14, 2024 – ESET Research: ESET APT Activity Report Q4 2023–Q1 2024
- April 24, 2024 – Broadcom: Seedworm exploits Atera Agent in a spear-phishing Campaign
- 22 April 2024 – HarfangLab: Increased activity from Iran sponsored APT MuddyWater, targeting Middle East, African & European organisations.
- April 08, 2024: Unit 42: Boggy Serpens (MuddyWater) Use of AutodialDLL
- April 07, 2024 – Broadcom: Seedworm distributing remote administration management software agents
- March 29, 2024 – Malwation: New MuddyWater Campaigns After Operation Swords of Iron
- March 21, 2024 – Proofpoint: Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign
- March 07, 2024 – Israel National Cyber Directorate: An active phishing campaign in Israeli territory – the Iranian attack group MuddyWater (Hebrew language)
2023
- December 19, 2023 – Symantec: Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa
- November 08, 2023 – Deep Instinct: MuddyC2Go – Latest C2 Framework Used by Iranian APT MuddyWater Spotted in Israel
- November 01, 2023 – Deep Instinct: MuddyWater eN-Able spear-phishing with new TTPs
- June 29, 2023 – Deep Instinct: PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater
- May 5, 2023 – Microsoft: Twitter: “Microsoft has now observed Iranian state-sponsored threat actors Mint Sandstorm (PHOSPHORUS) & Mango Sandstorm (MERCURY) exploiting CVE-2023-27350.”
- May 02 2023 – ESET Research: APT groups muddying the waters for MSPs
- April 18, 2023 – Group-IB: SimpleHarm: Tracking MuddyWater’s infrastructure
- April 07, 2023 – Microsoft: MERCURY and DEV-1084: Destructive attack on hybrid environment
2022
- December 08, 2022 – Deep Instinct: New MuddyWater Threat: Old Kitten; New Tricks
- September 09, 2022 – U.S. Treasury: Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities
- August 25, 2022 – Microsoft: MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations
- June 21, 2022 – Lab52: MuddyWater’s “light” first-stager targeting Middle East
- May 11, 2022 – NTT Security: Analysis of an Iranian APTs “E400” PowGoop variant reveals dozens of control servers dating back to 2020
- March 14, 2022 – EclecticIQ: MuddyWater APT attributed to Iranian Ministry of Intelligence and Security, and the Increasing Global Ransomware Threat
- March 10, 2022 – Cisco Talos: Iranian linked conglomerate MuddyWater comprised of regionally focused subgroups
- February 24, 2022 – CISA: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks
- February 24, 2022 – NCSC-UK: Malware Analysis Report: Small Sieve (PDF)
- January 31, 2022 – Cisco Talos: Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables
- January 13, 2022 – Picus: TTPs and IOCs Used by MuddyWater APT Group in Latest Attack Campaign
- January 12, 2022 – USCYBERCOM: Iranian intel cyber suite of malware uses open source tools (ATTRIBUTION)
- January 12, 2022 – SentinelOne: Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor
2021
- December 14, 2021 – Symantec: Espionage Campaign Targets Telecoms Organizations across Middle East and Asia
- March 05, 2021 – Trend Micro: Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East
- February 10, 2021 – Anomali: Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies
2020
- October 21, 2020 – Symantec: Seedworm: Iran-Linked Group Continues to Target Organizations in the Middle East
- October 15, 2020 – Clearsky: Operation Quicksand
- February 26, 2020 – Secureworks: Business as Usual for Iranian Operations Despite Increased Tensions
2019
- June 09, 2019 – Trend Micro: New MuddyWater Activities Uncovered (PDF)
- June 06, 2019 – Clearsky: Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal
- May 29, 2019 – Group-IB: Catching fish in muddy waters
- May 20, 109 – Cisco Talos: Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques
- April 29, 2019 – Kaspersky: I know what you did last summer, MuddyWater blending in the crowd
- April 15, 2019 – Clearsky: Iranian APT MuddyWater Attack Infrastructure Targeting Kurdish Political Groups and Organizations in Turkey
- April 10, 2019 – Check Point: The Muddy Waters of APT Attacks
- March 07, 2019 – NSHC: SectorD02 PowerShell Backdoor Analysis
2018
- December 10, 2018 – Symantec: Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms
- November 30, 2018 – Trend Micro: New PowerShell-based Backdoor, MuddyWater Similarities
- November 28, 2018 – Clearsky: MuddyWater Operations in Lebanon and Oman
- October 10, 2018 – Kaspersky: MuddyWater expands operations
- June 14, 2018 – Trend Micro: Potential MuddyWater Campaign uses PRB-Backdoor
- March 13, 2018 – FireEye: Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
- March 12, 2018 – Trend Micro: Potential MuddyWater Campaign Seen in the Middle East
- March 10, 2018 – Security 0wnage: A Quick Dip into MuddyWater's Recent Activity
- February 01, 2018 – Security 0wnage: Burping on MuddyWater
2017
- November 14, 2017 – Unit 42: Muddying the Water: Targeted Attacks in the Middle East
- October 04, 2017 – Security 0wnage: Continued Activity targeting the Middle East