Lucene search

K
hiveproHive ProHIVEPRO:186D6EE394314F861D57F4243E31E975
HistoryNov 18, 2021 - 11:45 a.m.

MuddyWater is taking advantage of old vulnerabilities

2021-11-1811:45:32
Hive Pro
www.hivepro.com
154

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom's National Cyber Security Centre (NCSC) have issued a joint advisory to warn organizations about an APT State sponsored Actor exploiting old Fortinet and proxyshell vulnerabilities.
Since late March 2021, this APT Iranian State sponsored Actor (MuddyWater) has been breaching vulnerable networks by exploiting Fortinet vulnerabilities. The Hive Pro threat Research team has issued a detailed and in depth advisory for the same.
Now, in October 2021, MuddyWater is getting initial access to the susceptible system by exploiting the well known ProxyShell Vulnerability (CVE 2021 34473).
It is recommended that organizations patch these vulnerabilities as soon as available.
The Tactics and Techniques used by MuddyWater are:
TA0042 - Resource Development
T1588.001 - Obtain Capabilities: Malware
T1588.002 - Obtain Capabilities: Tool
TA0001 - Initial Access
T1190 - Exploit Public Facing Application
TA0002 - Execution
T1053.005 - Scheduled Task/Job: Scheduled Task
TA0003 - Persistence
T1136.001 - Create Account: Local Account
T1136.002 - Create Account: Domain Account
TA0004 - Privilege Escalation
TA0006 - Credential Access
TA0009 - Collection
T1560.001 - Archive Collected Data: Archive via Utility
TA0010 - Exfiltration
TA0040 - Impact
T1486 - Data Encrypted for Impact

Actor Details

Vulnerability Details

Indicators of Compromise (IoCs)

Patch Link

<https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033&gt;

<http://www.securityfocus.com/bid/108693&gt;

<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473&gt;

References

<https://us-cert.cisa.gov/ncas/alerts/aa21-321a&gt;

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C