Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.
Latest posts by Esme Greene (see all)
- “Ducktail” Hackers Target Facebook - September 28, 2023
- Okta Breach: Super Admin Hack - September 24, 2023
- Rackspace: $10.8M Cloud Shift - September 23, 2023
Iran’s MuddyWater state criminal gang has been observed carrying out destructive operations against hybrid environments while masking their activities as a ransomware campaign.
Recent research from the Microsoft Security Intelligence team has shown that a malicious attacker – one that targets both on-premises and cloud infrastructures – is working together with another activity cluster, called DEV-1084, to carry out espionage operations. The uncontrollable behaviors indicate that the operation’s primary goal, despite its appearance as a ransomware campaign, was to wreak chaos and destruction.
Who is MuddyWater?
An Iranian actor whose affiliation with the Ministry of Intelligence and Security has been made public by the US government is known as MuddyWater (MOIS), as well as Boggy Serpens, Yellow Nix, and other names. Since at least 2017, it has been reported to be active.
The MuddyWater or MOIS gang, which is responsible for the attacks, has mostly targeted Middle Eastern nations. They have used the Log4Shell issue to compromise Israeli entities during the previous year.
What’s the criminals’ key aim?
The majority of the countries targeted by the group’s attacks are in the Middle East, and over the past year, Israeli businesses have been breached using the Log4Shell vulnerability.
After accessing the intended area successfully, MuddyWater worked with DEV-1084 to execute the destructive actions. In order to encrypt on-premise devices and destroy a sizable number of cloud resources, including server farms, virtual machines, storage accounts, and virtual networks, DEV-1084 made use of extremely privileged information that had been obtained.
Using Exchange Web Services, the threat actors entirely gained access to email inboxes. By posing as an unnamed high-ranking employee, they carried out thousands of search operations and sent communications to both internal and external recipients. These actions were identified by Redmond.