Skip to content

Microsoft: Iranian Gov Hackers Caught in Azure Wiper Attacks “The Benefits of Regular Exercise” “Reaping the Rewards of Exercise: How Exercise Can Improve Your Health”

Microsoft has issued a warning regarding the cyberattacks conducted by the Iranian advanced persistent threat (APT) actors MuddyWater and DEV-1084, which are disguised as ransomware. MuddyWater is officially linked to Iran’s Ministry of Intelligence and Security and has been launching espionage campaigns against targets in the Middle East since at least 2017. DEV-1084 is connected to MuddyWater and is believed to be either an independent cybercriminal group or a subgroup of the APT.

The threat actors gain access to their targets through the exploitation of unpatched internet-facing devices and then hand off access to DEV-1084. The group then deploys web shells, creates administrative user accounts, and installs legitimate tools for remote access. They also use high-privileged credentials and domain controller access to carry out destructive operations and prepare for large-scale encryption. The attackers are also found to be abusing compromised Azure Active Directory (Azure AD) accounts with global administrator privileges.

Microsoft observed that the attackers use tunneling tools to hide command-and-control (C&C) communication and continue to perform new actions weeks and months after completing one of the steps. Furthermore, the group was observed deploying the DarkBit ransomware in the Netlogon shares of several domain controllers and registering a scheduled task to launch the payload.

In conclusion, the Iranian APT actors MuddyWater and DEV-1084 have been found to be launching destructive cyberattacks disguised as ransomware. The threat actors have a variety of methods to gain access to their targets, including remote exploitation of internet-facing devices and abusing Azure AD accounts with global administrator privileges. They also use legitimate tools for remote access, tunneling tools to hide C&C communication, and deploy ransomware.

Key Points:

  • Iranian APT actors MuddyWater and DEV-1084 launch destructive cyberattacks disguised as ransomware.
  • MuddyWater is linked to Iran’s Ministry of Intelligence and Security.
  • The group gains access to their targets through remote exploitation of internet-facing devices and abuses Azure AD accounts with global administrator privileges.
  • They use legitimate tools for remote access, tunneling tools to hide C&C communication, and deploy ransomware.

Leave a Reply

Your email address will not be published. Required fields are marked *