MuddyWater: Iranian Espionage Group Targets MSPs

A cyber-espionage group linked to Iran’s Ministry of Intelligence and Security (MOIS) is behind a new malware campaign called MuddyWater. This group is targeting MSPs around the world by abusing SimpleHelp, a remote access tool (RAT), and ConnectWise used by MSPs for remote support.

Once compromised, MuddyWater can take a number of actions including implementing reverse tunnels, as well as configuration and password dumpers. This enables botnet control of systems and data exfiltration.

The malware has so far obfuscated its Command & Control (C&C) systems, making it particularly effective at evading being detected. Because of this, traditional EDR/XDR tools with generic configurations have not been particularly accurate at detection.

The MuddyWater campaign has quickly spanned the globe impacting MSPs and their customers throughout North America, Saudi Arabia, Egypt, Europe and Africa. The primary targets have been telecommunications, energy verticals (particularly oil & gas), and government agencies.

Acreto Solution

Acreto Ecosystems isolate and limit access only to users, devices, systems and applications that need to interoperate. Moreover, within the Ecosystem, per network or even per individual asset segmentation further isolates systems. Isolated data flows can be layered in to create well-defined communication paths between Ecosystem members.

A positive security model drives the prevention of zero-day and evasive malicious wares. This includes:

Inline Encrypted SecureScan to identify malicious payloads in encrypted communications. A real weakness in many security implementations today.

Access controls, including limiting communications only to authorized Ecosystem members using specified network protocols and ports, application protocols and application programs.

Content controls, limiting access to upload and download of particular file types as well as categorization of sites accessed.

The capabilities are rounded out by full inline threat prevention to identify and mitigate attackers and malicious payloads.

Ecosystem Security Isolation

Ecosystems deliver a dedicated security infrastructure that can be deployed per application, use-case, project or third-party. An Ecosystem inherently limits access only to users, devices, systems and applications that need to interoperate together.

Ecosystems support any technology, on any network, anywhere in the world. These include computers, mobile devices, IoTs, Offices, Clouds, SaaS and Data Centers.

Ecosystems can be configured as:

Assets Acreto Secures

Supported Technologies Detail

1. Access Technologies

   1. Devices

      1. Computer (Org Owned or BYOD)

      2. Mobile Phone / Tablet (Org Owned or BYOD)

   2. Offices

      1. Headquarters

      2. Branch

      3. Small Office / Home Office

   3. Internet-of-Things (IoT)

      1. ATMs

      2. HVAC

      3. Elevator Controls

      4. Fire Safety

      5. Smart TV

      6. many more…

   4. Third Parties

      1. Offices

      2. Devices

      3. Remote Users

2. Application Delivery Technologies

   1. Data Center

      1. Networks

      2. Servers

      3. Virtual Machines

      4. Containers

   2. Clouds

      1. Cloud Instances

      2. Cloud VPCs / Cloud Networks

   3. SaaS / Third-Party Applications

Eliminate the Internet Attack Surface

Eliminates any and all access from the Internet while Ecosystem members can interoperate with authorized systems and applications.

Eliminate the Internal Attack Surface

Ecosystems can easily isolate individual or groups of systems on a shared network or entire networks, to limit access only to systems that need to interoperate together. This is done with

Isolated Data Flows

Isolated data flows can be defined between two Ecosystem members to limit access to specified sources and destinations, network protocols and ports, application protocols as well as application programs.

Encrypted Secure Scan

Secure Scan addresses a key weakness in many security tools today. 90%+ of all communications is encrypted, yet only 10% of organizations have the means to secure these communications. Encrypted Secure Scan decrypts, scans, and re-encrypts communications inline and in real-time.

Any malicious content embedded in the encrypted payload is blocked, otherwise the clean and validated communication is delivered to its final destination.

Controls

Threat Prevention

After verification of network protocol, port, application protocol and application program, a deep inspection is performed on all communications. The effectiveness of this method is amplified by inline Encrypted Secure Scan. Threat prevention capabilities utilize two key methods:

Simplicity

Acreto Ecosystems are very easy to provision and deploy. There are no hardware dependencies or associated logistics.

Provisioning an Ecosystem takes 3-5 minutes. Simply provide a unique name to the Ecosystem then choose the bandwidth desired and within a few minutes your Ecosystem providing a dedicated security infrastructure is ready.

Depending on your connection options for Ecosystem members, deployment can take between 10 minutes to a few hours.

Sustainability

Acreto Ecosystems utilize a sustainable model without any dependency on products and their associated logistics. There are no more updates, upgrades or technology refreshes.

Change Management

Different Ecosystems operate completely independently from one another. Therefore, change management impacts only members of a specified Ecosystem, not the entire organization. This simplifies the traditionally complex change management process.

Policy Management

Policy management also benefits from Ecosystems. Because Ecosystems are specific to a customer scenario such as an application, use-case, project or third-party, all policies apply to the scenario. Moreover, when its time for policy cleanup, when an application or use-case is retired, disabling or deleting the Ecosystem automatically prunes the policies. This has traditionally been a complex task that is at best inaccurate.

Mechanism of Attack

• The first variant of the malware is used to encrypt Windows systems.

• The malware is written in the Go Programming language and named 8thcurse.exe.

• The malware compiled using the open-source tool MinGW.

• The malware is a 64-bit version and was compiled on 12/2/2023 at 00:10:5

• The malware uses AES symmetrical encryption to encrypt files on the filesystem and keeps the encryption key in a file encrypted by asymmetrical RSA encryption.

• Files that have been encrypted get their extension changed to darkbit and have the string “DARKBIT_ENCRYPTED_FILES” added to their content.

• The malware waits 10 seconds before starting to encrypt files by default.

• The malware has several running options, including domain, list, noransom, password, path, thread, and username.

• The malware defines a mutex (Global\dbdbdbdb) upon starting to prevent multiple executions.

• The malware uses built-in commands to erase Shadow Copies and prevent restoring files after the encryption phase.

• The malware was specifically built to attack the Technion, as indicated by the ransom note and hard-coded list of servers on the Technion network.

• The attacker probably mapped the Technion’s network prior to the attack.

• The malware contains a list of file extensions that will not be encrypted to prevent operating system failure.

• Large files are not encrypted as a whole but broken down into multiple parts that are encrypted separately.

• The malware code can be easily modified modularly to fit the attacker’s purpose.

 

About Acreto

Acreto delivers full-stack cybersecurity without products, logistics or significant security expertise. It creates and consolidates the best of cybersecurity into a single plug-and-play platform with automated updates to stay ahead of threats. Acreto activates enterprise-grade security instantly, so organizations can run safely, easily, and without interruption.