The Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called PhonyC2 that's been put to use by the actor since 2021.
Evidence shows that the custom made, actively developed framework has been leveraged in the February 2023 attack on Technion, an Israeli research institute, cybersecurity firm Deep Instinct said in a

The Iranian state-sponsored group dubbed **MuddyWater** has been attributed to a previously unseen command-and-control (C2) framework called **PhonyC2** that's been put to use by the actor since 2021.

Evidence shows that the custom made, actively developed framework has been leveraged in the February 2023 attack on Technion, an Israeli research institute, cybersecurity firm Deep Instinct said in a report shared with The Hacker News.

What's more, additional links have been unearthed between the Python 3-based program and other attacks carried out by MuddyWater, including the ongoing exploitation of PaperCut servers.

"It is structurally and functionally similar to MuddyC3, a previous MuddyWater custom C2 framework that was written in Python 2," security researcher Simon Kenin said. "MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection."

MuddyWater, also known as Mango Sandstorm (previously Mercury), is a cyber espionage group that's known to operate on behalf of Iran's Ministry of Intelligence and Security (MOIS) since at least 2017.

The findings arrive nearly three months after Microsoft implicated the threat actor for carrying out destructive attacks on hybrid environments, while also calling out its collaboration with a related cluster tracked as Storm-1084 (aka DEV-1084 or DarkBit) for reconnaissance, persistence, and lateral movement.

"Iran conducts cyber operations aiming at intelligence collection for strategic purposes, essentially targeting neighboring states, in particular Iran's geopolitical rivals such as Israel, Saudi Arabia, and Arabic Gulf countries, a continued focus observed in all operations since 2011," French cybersecurity company Sekoia said in an overview of pro-Iranian government cyber attacks.

Attack chains orchestrated by the group, like other Iran-nexus intrusion sets, employ vulnerable public-facing servers and social engineering as the primary initial access points to breach targets of interest.

"These include the use of charismatic sock puppets, the lure of prospective job opportunities, solicitation by journalists, and masquerading as think tank experts seeking opinions," Recorded Future noted last year. "The use of social engineering is a central component of Iranian APT tradecraft when engaging in cyber espionage and information operations."

Deep Instinct said it discovered the PhonyC2 framework in April 2023 on a server that's related to broader infrastructure put to use by MuddyWater in its attack targeting Technion earlier this year. The same server was also found to host Ligolo, a staple reverse tunneling tool utilized by the threat actor.

The connection stems from the artifact names "C:\\programdata\\db.sqlite" and "C:\\programdata\\db.ps1," which Microsoft described as customized PowerShell backdoors used by MuddyWater and which are dynamically generated via the PhonyC2 framework for execution on the infected host.

PhonyC2 is a "post-exploitation framework used to generate various payloads that connect back to the C2 and wait for instructions from the operator to conduct the final step of the 'intrusion kill chain,'" Kenin said, calling it a successor to MuddyC3 and POWERSTATS.

Some of the the notable commands supported by the framework are as follows -

*   **payload**: Generate the payloads "C:\\programdata\\db.sqlite" and "C:\\programdata\\db.ps1" as well as a PowerShell command to execute db.ps1, which, in turn, executes db.sqlite
*   **droper**: Create different variants of PowerShell commands to generate "C:\\programdata\\db.sqlite" by reaching out to the C2 server and writing the encoded contents sent by the server to the file
*   **Ex3cut3**: Create different variants of PowerShell commands to generate "C:\\programdata\\db.ps1" -- a script that contains the logic to decode db.sqlite -- and the final-stage
*   **list**: Enumerate all connected machines to the C2 server
*   **setcommandforall**: Execute the same command across all connected hosts simultaneously
*   **use**: Get a PowerShell shell on a remote computer
*   **persist**: Generate a PowerShell code to enable the operator to gain persistence on the infected host so it will connect back to the server upon a restart

Muddywater is far from the only Iranian nation-state group to train its eyes on Israel. In recent months, various entities in the country have been targeted by at least three different actors such as Charming Kitten (aka APT35), Imperial Kitten (aka Tortoiseshell), and Agrius (aka Pink Sandstorm).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

From MuddyC3 to PhonyC2: Iran's MuddyWater Evolves with a New Cyber Weapon

As cloud adoption grows, organizations need to rethink their approaches to securing hybrid cloud and multicloud environments.

Cloud technology is a powerful tool that facilitates collaboration among distributed workforces and allows businesses to quickly scale their digital workloads. According to a Microsoft survey, 95% of respondents said cloud technology was critical to their organizations' successes, and 86% planned to increase their investments in hybrid cloud and multicloud tech. 

However, cloud technology also comes with increased risks. The lack of visibility and coverage across hybrid and multicloud environments can make it difficult for security teams to identify and resolve risks. Security teams are also being asked to monitor fragmented tools across different clouds, which can make it difficult to create a unified view of their comprehensive security posture. 

Microsoft research from earlier this year found that 86% of surveyed decision-makers believed their current cybersecurity strategies were not sufficient to secure their multicloud environments. So how should organizations adapt their security approach?

**Create a Single-Pane-of-Glass View**

Cloud technology enables businesses to quickly scale their digital workloads because they are not constrained by managing physical devices or IT infrastructure. However, this agility can also make it difficult for them to keep track of their various workloads, data streams, and applications because they are scattered across a mix of different cloud platforms and on-premises locations. Securing a hybrid or multicloud environment requires organizations to have visibility and cross-platform control in a single-pane-of-glass view. That way they can visualize the security posture of multiple workloads at once, regardless of location.

**Use CNAPP For Code-to-Cloud Context**

For many organizations, security and compliance used to be distinct silos — making it difficult for development and security teams to protect applications in the cloud. More than half (54%) of enterprises do not integrate security into their DevOps pipelines, according to Microsoft's "Enterprise DevOps Report." Cloud-native application protection platforms (CNAPPs) integrate these silos into a single, easy-to-reference platform to help organizations secure and protect cloud-native applications.

Strong security hygiene means being able to monitor and remediate code within the same pane-of-glass view that organizations use to manage their overall cloud security posture. CNAPPs enable increased collaboration and integration between development and security teams while also reducing the possibility of code issues being moved into the cloud. By intaking all infrastructure-as-code scanning signals and combining them with data sensitivity, identity, and runtime intelligence, CNAPPs enable security teams to make recommendations and prioritize risks within the context of the entire hybrid or multicloud network.

**Fortify Security Hygiene With Threat Detection and Response**

Active threat detection is a critical component of securing the cloud environment against potential cybersecurity breaches. For example, organizations should examine the connections among applications, data stores, and workstreams to anticipate how threat actors could conceivably move through their environments to compromise operations.

When protecting workloads, it's critical that developers, security administrators, and security operations center analysts are all on the same page. It's also important that organizations take a cohesive, collaborative approach to cloud security by ensuring that all of the key players are working together to build security integrations that cover the full scope of your threat landscape. This can look like embedding anti-malware scanning tools into DevOps to ensure a company's code is protected against malware or preventing attackers from entering its network by hardening container security.

_— This article was written by Yuri Diogenes, a member of the Microsoft Security Team._

3 Tips to Increase Hybrid and Multicloud Security

A new version of the double-extortion group's malware reflects a growing trend among ransomware actors to expand cybercrime opportunities beyond Windows.

The fledgling Akira ransomware group is building momentum and expanding its target base, following other cybercriminal groups by adding capabilities to exploit Linux systems as part of a growing sophistication in its activity, researchers have found.

The gang, which emerged as a cybercriminal force to be reckoned with in April of this year, is primarily known for attacking Windows systems, and maintains a unique data-leak site designed as an interactive command prompt using jQuery.

However, the group — named for a 1988 Japanese anime cult classic featuring a psychopathic biker — is now shifting its tactics to target Linux, with a new version of its ransomware that can exploit systems running the open source OS, researchers from Cyble Research and Intelligence Labs (CRIL) revealed in a blog post published June 29.

This move both reflects Akira's evolution as well as a growing trend among ransomware groups, who now see the opportunity in exploiting the popularity of Linux across enterprise environments. Linux has become the de facto standard for running virtual container-based systems, which are typically the back end for Internet of Things (IoT) devices and mission-critical applications.

"The fact that a previously Windows-centric ransomware group is now turning its attention to Linux underscores the increasing vulnerability of these systems to cyber threats," the researchers wrote in the post.

Indeed, the shift by Akira follows a move by other, more established ransomware — such as Cl0p, Royal, and IceFire ransomware groups — to do the same.

Akira is also expanding rapidly, having in just a few months already compromised 46 publicly disclosed victims — the majority of which are located in the US, the researchers said.

Victims span various industries, but the bulk of the victims have come from the education sector, followed close behind by manufacturing, professional services, BFSI, and construction. Other victims are scattered across assorted verticals, including agriculture and livestock, food and beverage, IT and ITES, real estate, consumer goods, automotive, chemical, and other industries, they said.

Akira primarily is focused on compromising and stealing data from its victims using double-extortion tactics, threatening to leak data on the Dark Web if they don't pay the requested ransom.

**How Akira's Linus-Targeting Works**

The new Linux ransomware file infects systems in the form of a console-based 64-bit executable written in Microsoft Visual C/C++ compiler, the researchers said. Upon execution, it uses the API function _GetLogicalDriveStrings()_ to obtain a list of the logical drives currently available in the system.

The malware then drops a ransom note in multiple folders with the file name "akira\_readme.txt," and proceeds to search for files and directories to encrypt by iterating through them using the API functions _FindFirstFileW()_ and _FindNextFileW()_.

The ransomware uses the "Microsoft Enhanced RSA and AES Cryptographic Provider" libraries to encrypt the victim's machine using a fixed hardcoded base64 encoded public key, renaming encrypted files with the ".akira" extension. It also uses several functions from CryptoAPI in its encryption process, the researchers said.

Akira ransomware also includes an additional features that prevents system restoration using a PowerShell command to execute a WMI query that deletes the shadow copy, they added.

The dropped ransom note provides instructions to the victims for contacting Akira to negotiate terms for paying a ransom. The group often threatens victims with plans to leak the data on its ransomware site (aka double extortion), which indeed displays a list of victims that didn't pay and associated leaks of their data, the researchers said.

**How to Prevent & Mitigate Ransomware**

Researchers made a number of recommendations for how organizations can prevent and mitigate ransomware attacks. They include conducting regular backup practices and keeping those backups offline or in a separate network so that systems can be restored in case of attack, they said.

Organizations also should turn on the automatic software update feature on computers as well as other mobile and connected devices wherever possible and pragmatic, and use reliable and trusted antivirus and Internet security software package on all connected devices, the researchers advised.

As ransomware often hitches a ride on files spread through phishing attacks, corporate users also should refrain from opening untrusted links and email attachments without verifying their authenticity, they added.

The steps taken after a ransomware attack also have an impact on how extensive the damage to a network is. If ransomware is detected on an enterprise system, organizations should immediately detach infected devices on the same network, disconnect any connected external storage devices, and inspect system logs for suspicious events, the researchers added.

Newbie Akira Ransomware Builds Momentum With Linux Shift

Two Mideast nations that were at odds until recently have announced the "Crystal Ball" project, aimed at better protecting against cyberattacks via collaboration and knowledge sharing.

In a watershed moment for two once-fractious regional neighbors, the United Arab Emirates (UAE) and Israel are to work together on a threat intelligence-sharing platform to battle cybersecurity threats.

Announced this week, the “Crystal Ball” project is a digital platform for detecting and repelling hackers via collaboration and knowledge sharing around national-level cyberthreats. It was described as being enabled to "design, deploy and enable regional intelligence enhancement," according to a presentation slide seen during this week's Tel Aviv Cyber Week.

The project will be backed by Microsoft, Israel's Rafael Advanced Defense Systems, and Abu Dhabi's CPX, and an unspecified number of countries will also participate, according to The Circuit.

**The Need for a Joined-up Response**

Emirati cybersecurity chief Mohamed Al Kuwaiti said the platform will enable partner countries to "easily and seamlessly share information," and will be strengthened by the combination of the countries' joint abilities, processing power, and a high volume of data.

In an address to the Cyber Week conference, Al Kuwaiti said, "Cyber threats do not distinguish between nations, do not distinguish between entities or people, and that is why we need to unite against those threats. The Crystal Ball that we are aiming for the whole community will be the first step toward that."

Nadir Izrael, co-founder and CTO of Armis, says he welcomes the joint effort in the Middle East because he is "a strong believer that nations need to work together to develop a comprehensive and effective response to cyber warfare, in order to build a more secure and resilient world."

He adds: "As we saw with the cyberattacks on Israel this late April, coordinated efforts from groups associated with Iran and Russia are looking to increase geopolitical tensions and create instability amongst citizens. In a world that has become polarized, it is a must to invest in cybersecurity measures to protect whole nations from these kinds of attacks."

Izrael also noted that the Crystal Ball project should be a model for others. "Governments and organizations need to take threats seriously, and allocate resources to build robust and resilient cybersecurity systems," he says. "Those advanced systems will allow for threat intelligence, which can help detect malicious behavior and stop an attack even before it happens."

**Improved Diplomatic Relations**

Al Kuwaiti said the UAE's connection with Israeli tech companies has been especially helpful in his country's transition to a digital economy, after the UAE and Israel normalized diplomatic relations as part of the September 2020 Abraham Accords, leading to the bolstering of both commercial and strategic ties between the countries.

Ryan Westman, senior manager of threat intelligence at eSentire, says the collaboration of threat intelligence sharing between Israel and the UAE will be key to better securing the region. "In general, any information-sharing agreement will likely benefit organizations in the countries covered, as the more insights we have on threats and vulnerabilities to organizations, the better the job we can do at responding to those the risk those threats and vulnerabilities present," he says. "By sharing information on those threats and vulnerabilities, the easier it is for security teams to respond to the risks." 

He notes that while information sharing and analysis centers (ISACs) have existed for some time now and are not novel, the collaboration between two states that used to be at geopolitical odds is notable.

"Partnerships like this can have a wider impact, improving the security posture for everyone, because it makes it easier to detect potential issues in the wider threat landscape," he says. "Working together in this way benefits everyone, whether they are in the two countries concerned or in others within the region."

UAE, Israel Ink Pivotal Joint Cyber-Threat Intelligence Agreement

The North Korea-aligned threat actor known as Andariel leveraged a previously undocumented malware called EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year.
"Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky said in a new report.
Also called Silent Chollima and Stonefly,

The North Korea-aligned threat actor known as **Andariel** leveraged a previously undocumented malware called **EarlyRat** in attacks exploiting the Log4j Log4Shell vulnerability last year.

"Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky said in a new report.

Also called Silent Chollima and Stonefly, Andariel is associated with North Korea's Lab 110, a primary hacking unit that also houses APT38 (aka BlueNoroff) and other subordinate elements collectively tracked under the umbrella name Lazarus Group.

The threat actor, besides conducting espionage attacks against foreign government and military entities that are of strategic interest, is known to carry out cyber crime as an extra source of income to the sanctions-hit nation.

Some of the key cyber weapons in its arsenal include a ransomware strain referred to as Maui and numerous remote access trojans and backdoors such as Dtrack (aka Valefor and Preft), NukeSped (aka Manuscrypt), MagicRAT, and YamaBot.

NukeSped contains a range of features to create and terminate processes and move, read, and write files on the infected host. The use of NukeSped overlaps with a campaign tracked by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) under the name TraderTraitor.

Andariel's weaponization of the Log4Shell vulnerability in unpatched VMware Horizon servers was previously documented by AhnLab Security Emergency Response Center (ASEC) and Cisco Talos in 2022.

The latest attack chain discovered by Kaspsersky shows that EarlyRat is propagated by means of phishing emails containing decoy Microsoft Word documents. The files, when opened, prompt the recipients to enable macros, leading to the execution of VBA code responsible for downloading the trojan.

Described as a simple but limited backdoor, EarlyRat is designed to collect and exfiltrate system information to a remote server as well as execute arbitrary commands. It also shares high-level similarities with MagicRAT, not to mention written using a framework called PureBasic. MagicRAT, on the other hand, employs the Qt Framework.

Another characteristic of the intrusion is the use of legitimate off-the-shelf tools like 3Proxy, ForkDump, NTDSDumpEx, Powerline, and PuTTY for further exploitation of the target.

"Despite being an APT group, Lazarus is known for performing typical cyber crime tasks, such as deploying ransomware, which makes the cybercrime landscape more complicated," Kaspersky said. "Moreover, the group uses a wide variety of custom tools, constantly updating existing and developing new malware."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hacker Group Andariel Strikes with New EarlyRat Malware

Microsoft Edge (Chromium-based) Spoofing Vulnerability

CVE-2022-23264

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Tag

#microsoft