MuddyWater has various campaigns that are entirely different from each other. In this post we will focus on the most recent changes and observations of their campaign which utilizes spearphishing with legitimate remote administration tools.
Remote Administration Tools – Emerging Threats
Download: https://byltly.com/2vEalt
In July 2022 a potential file related to this campaign was observed, but it contained Atera Agent instead of the usual ScreenConnect, potentially signaling the threat actor switched to another remote administration tool to avoid detection of their long running campaign.
We have recently described other dual-use tools that are being abused for malicious purposes. We recommend that security teams monitor for remote desktop solutions that are not common in the organization as they have a higher chance of being abused.
In 2020-2022, Iran-sponsored MuddyWater (Static Kitten, Mercury) group went through abusing several legitimate remote administration tools: RemoteUtilities, followed by ScreenConnect and then Atera Agent. Since September 2022, a new campaign attributed to MuddyWater uses spearphishing to deliver links to archived MSI files with yet another remote administration tool: Syncro. Deep Instinct researchers observed the targeting of Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.Analyst Comment: Network defenders are advised to establish a baseline for typical running processes and monitor for remote desktop solutions that are not common in the organization.MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 [MITRE ATT&CK] Remote Access Tools - T1219Tags: mitre-group:MuddyWater, actor:Static Kitten, actor:Mercury, Iran, source-country:IR, APT, Cyberespionage, Ministry of Intelligence and Security, detection:Syncro, malware-type:RAT, file-type:MSI, file-type:ZIP, OneHub, Windows
But the advantages offered by remote management software exposed to the internet may also pose significant risk to the security of your customer payment card information. Attackers, too, can gain access to these remote access tools - often by cracking weak passwords - to bypass security measures and laterally advance across your network. According to the 2016 Trustwave Global Security Report, insecure remote access software and policies, at 13 percent, contributed to the largest share of compromises Trustwave investigated in 2015 - and nearly all POS breaches in the year prior.
A webshell is a script or web page that enables remote administration of the underlying machine by a remote user. Most webshells are written in languages known to be supported by most web servers, e.g. PHP, Python, Ruby, Perl and ASP.
The oldest legitimate remote access software was built in the late 1980s, when tools such as NetSupport appeared. Soon after that, in 1996, their first malicious counterparts were created. NokNok and D.I.R.T. were among the first, followed by NetBus, Back Orifice and SubSeven.
In 2022, remote access tools continue to provide versatile support to organizations. By controlling devices remotely from across the globe, IT teams save on response costs, travel times, and can receive remote support from external parties like contractors [1 & 2]. This is particularly relevant in cases involving specialty machines such as OT/ICS systems where physical access is sometimes limited. These tools, however, come with their own risks. The following blog will discuss these risks and how they can be addressed (particularly in OT environments) by looking at two exploit examples from the popular sphere and within the Darktrace customer base.
One of the most popular remote tools is TeamViewer, a comprehensive videoconferencing and remote management tool which can be used on both desktop and handheld devices[3]. Like other sophisticated tools, when it works as intended, it can seem like magic. However, remote access tools can be exploited and may grant privileged network access to potential threat actors. Although TeamViewer needs to be installed on both perpetrator and victim devices, if an attacker has access to a misconfigured TeamViewer device, it becomes trivial to establish a foothold and deploy malware.
Darktrace gives security teams the opportunity for a proactive response, and it is up to those teams to utilize that opportunity. In recent months our SOC Team have also seen remote access controls being abused for high-profile threats. In one example, Darktrace detected a ransomware attack supported by the installation of AnyDesk.
Looking back at Oldsmar, it is clear that being aware of remote access tools is only half the battle. More importantly, most organizations are asking if their use in attacks can be prevented in the first place. As an off-the-shelf tool, restricting TeamViewer use seems like an easy solution but such tools are often essential for maintenance and support operations. Even if limited to privileged users, these accounts are also subject to potential compromise. Instead, companies can take a large-scale view and consider the environment in which the Oldsmar attack occurred.
In conclusion, TeamViewer and other remote access tools offer a lot of convenience for security teams but also for attackers. Attackers can remotely access important systems including those in the industrial network and install malware using remote access tools as leverage. Security teams need to know both their normal authorized activities and how to enforce them. With Darktrace DETECT, the tools are given transparency, with Darktrace RESPOND they can be blocked, and now Darktrace PREVENT/ASM helps to mitigate the risk of attack before it happens. As the professional world continues to embrace hybrid working, it becomes increasingly crucial to embrace these types of products and ensure protection against the dangers of unwanted remote access.
The proliferation of new equipment presents challenges for security teams. They need to make sure that devices are protected from malware and viruses. Whether it is a BYOD device, or a corporate device used remotely by an employee, the organization needs to ensure security tools can be installed, managed and supported remotely.
However, many security teams do not have visibility over remote user activity, and cannot monitor east-west traffic on their local networks, making it difficult to detect advanced threats. This raises the possibility of attackers compromising a remote device, using it to connect to corporate assets, and then moving laterally to compromise other systems.
SASE takes complete ownership of remote access in an organization, eliminating VPN, physical equipment, and backhauling solutions, and managing remote access using virtualized appliances. It can not only facilitate remote access and authenticate users, but also filter content being transferred on the network, detect and prevent malware and a host of other security threats.
Managed services providers (MSPs) are facing increased cyber security concerns in two areas. First, when selling cyber security, there are increasing threats to their customers. Second, the emerging cyber security threats the MSPs are facing against their own systems are keeping them up at night.
In June of last year, the Secret Service issued a security alert4 based on the work of their investigations team, the Global Investigations Operations Center (GIOC). They wanted MSPs to know that the number of cyber attacks on MSPs was growing, especially due to the remote administration tools MSPs use. MSPs must be mindful of this threat to protect themselves as well as their customers.
With that adoption and surge in the use of digital platforms, ZeroFox has identified an uptick in digital threats targeting those platforms, from phishing to information leakage to fraud and scams. In order to operate securely in this new remote-first work environment, security teams must review previously established security protocols and evolve practices to meet new standards.
Understanding the threats facing your organization in this rapidly changing environment is the first step towards protecting your employees and brand online. ZeroFox compiled four steps security professionals can take today to address these emerging threats that have resulted from this remote-first environment. Read the full report and feel free to share your own experiences adapting security policies and procedures with us and on social media. Download the report here.
First discovered in February 2022, BatLoader uses legitimate tools, like Syncro and the Atera remote access software, to maintain access to infected systems. Since October 2022, Talos has observed a general uptick in our endpoint telemetry and Talos IR investigations associated with BatLoader, which deploys a variety of secondary malware payloads including the Vidar information stealer and the commodity loader Ursnif/Gozi. In one BatLoader engagement, the initial access vector relied on phishing and/or search engine optimization (SEO) poisoning to lure users to download the malware from attacker-created websites. This is consistent with public reporting on typical BatLoader infections. After initial access was established, the BatLoader infection chain leveraged multiple PowerShell and batch scripts to download tools and components needed for subsequent stages of the attack.
Log4Shell vulnerability in the popular Apache Log4j 2 is a critical zero-day vulnerability that enables bad actors to perform remote code execution (RCE). In this video, we will show you how a team took advantage of their Splunk Intelligence Management solution to save time from the manual handling and curation of Indicators related to this emerging threat and to improve their investigation efforts.
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, AnyDesk, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.[1] 2ff7e9595c
Comments