Iran-linked APT Targets US Critical Sectors with New Backdoors

Since early February 2023, an Iran-linked hacking group known as Seedworm (aka MuddyWater) has been actively targeting networks of several US organizations, raising concerns about the potential for broader cyber operations connected to escalating geopolitical tensions in the Middle East. This advanced persistent threat (APT) group has been linked to Iran's Ministry of Intelligence and Security (MOIS), known for espionage campaigns against government agencies, telecommunications companies, and critical infrastructure.

Symantec and Carbon Black researchers have identified suspicious activity on the networks of several US organizations, including Israeli healthcare companies, EgyptianAir, Jordanian government entities, various UAE companies, US entities, and Jewish/Israeli-linked governmental organizations. The attackers have been trying to exfiltrate data from software companies using previously unknown malware, leveraging open-source tools like Rclone.

The Seedworm group has used malware signed with certificates issued to individuals named “Amy Cherne” and “Donald Gay”, the latter of which is associated with other malicious actors like Stagecomp and Darkcomp. According to researchers, the attackers' goal seems to be espionage, with the aim of stealing sensitive data from targeted software companies.

The cybersecurity community remains vigilant, as independent threat-intel research collective Ctrl-Alt-Intel has recently accessed infrastructure used by Seedworm/Muddy Water, allowing them to harvest "C2 tooling, scripts, logs, victim data, and other operational artefacts" from a VPS hosted in the Netherlands. By analyzing this data, they have pinpointed other organizations targeted by the group.

The exposed infrastructure provides valuable insights into a MuddyWater operation, showcasing the breadth of their activities:

* Countless organizations targeted * Multiple custom-developed C2 frameworks * Exploitation of over a dozen CVEs, including novel SQL injection vulnerabilities * Password spraying campaigns * Ethereum-based C2 resolution * Multiple exfiltration channels spanning cloud storage & EC2 instances

The researchers concluded that MuddyWater continues to demonstrate its willingness to rapidly adopt public exploit code, modify it for operational use, and deploy it at scale – all while developing custom tooling in parallel.

In conclusion, the recent activities of Seedworm (aka MuddyWater) highlight the importance of maintaining robust cybersecurity measures and staying informed about emerging threats. As geopolitical tensions escalate, it's crucial to remain vigilant and proactive in defending against potential cyber attacks.

Stay up-to-date with the latest cybersecurity news and trends by following our blog and subscribing to our breaking news email alert.