One Article Review
| Source |  RiskIQ |
|---|---|
| Identifiant | 8492017 |
| Date de publication | 2024-05-01 19:01:06 (vue: 2024-05-01 20:08:08) |
| Titre | Muddywater Campaign abuse d'agents Atera MuddyWater Campaign Abusing Atera Agents |
| Texte | #### Targeted Geolocations - Israel - India - Algeria - Italy - Egypt - Türkiye #### Targeted Industries - Transportation Systems - Aviation - Information Technology - Healthcare & Public Health - Government Agencies & Services - General Public Services - Federal ## Snapshot Researchers at HarfangLab have been monitoring a campaign by Iran-based threat group MuddyWater, tracked by Microsoft as [Mango Sandstorm](https://sip.security.microsoft.com/intel-profiles/36949e052b63fa06ee586aef3d1fec8dd2e1b567e231d88c28c16299f9b25340), characterized by the use of Remote Monitoring and Management (RMM) tools. Microsoft tracks this actor as Mango Sandstorm, [read more about them here](https://sip.security.microsoft.com/intel-profiles/36949e052b63fa06ee586aef3d1fec8dd2e1b567e231d88c28c16299f9b25340). ## Description According to HarfangLab, MuddyWater has been utilizing legitimate RMM software in its attacks since at least 2021, but has been monitoring this campaign using Atera Agent since October 2023. Leveraging Atera\'s free trial offers, the agents seen in this campaign have been registered using both compromised enterprise and personal email accounts. The infection chain in this campaign begins with the deployment of spearphishing emails. These emails are highly tailored to the victim organization and contain malicious attachments or links. Upon interaction, MuddyWater leverages free file sharing sites to host the RMM software, in this case Atera Agent, giving the group remote access and control over compromised systems. The group likely does not rely on the Subsequently, the group is able to execute commands, conduct reconnaissance, and move laterally across the network facilitating the deployment of additional malware payloads enabling the group to maintain persistence and exfiltrate sensitive data. ## Microsoft Analysis Microsoft Threat Intelligence has identified that this campaign is likely attributed to the actor Microsoft tracks as Mango Sandstorm, an Iranian nation-state actor with ties to Iran\'s Ministry of Intelligence and Security (MOIS). In past operations, Mango Sandstorm has primarily, but not exclusively, sought to collect information assessed to have strategic value, typically from organizations in the aviation, education, defense, energy, government, and telecommunications sectors in the Middle East and North Africa. Mango Sandstorm tends to favor spearphishing attacks. In this and prior campaigns, the group has been observed using commercial RMM tools to achieve persistence in a target environment. Mango Sandstorm has been identified attempting to deliver Atera, SimpleHelp, RPort, N-able Advanced Monitoring Agent, Splashtop, Syncro, and AnyConnect. ## Detections As tools used in these types of campaigns might have legitimate uses, they are not typically detected as malicious, and proactive hunting is recommended. ## Recommendations Microsoft recommends the following mitigations to reduce the impact of activity associated with Mango Sandstorm\'s operations. - Use the Attack Simulator in Microsoft Defender for Office 365 to organize realistic, yet safe, simulated phishing and password attack campaigns in your organization by training end users against clicking URLs in unsolicited messages and disclosing their credentials. Training should include checking for poor spelling and grammar in phishing emails or the application\'s consent screen as well as spoofed app names, logos and domain URLs appearing to originate from legitimate applications or companies. Note: Attack Simulator testing currently only supports phishing emails containing links. - Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware. - Harden internet-facing assets and identify and se |
| Envoyé | Oui |
| Condensat | #### 2021 2023 2024 365 able about abusing access accessed according account accounts achieve across action activity actor additional administrators advanced africa against agencies agent agents algeria also analysis antivirus anyconnect app appearing application applications applocker approved are assessed assets associated atera attachments attack attacker attackers attacks attempting attributed available aviation based been begins best block blocks both browsers but campaign campaign/ campaigns can case certificate certificates certificates: chain characterized checking clicking cloud collect com/intel commands commercial companies compromised condition conduct consent consider contain containing control cover create credentials currently data defender defense deliver delivered deployment description detected detections digitally disclosing discovered does domain east edge education egypt email emails enabling encourage end endpoint energy enforce enterprise environment equivalent evolving exclusively execute exfiltrate exploits explorer/articles/300aea9f facilitating facing favor federal file files following free from functionality further general geolocations giving government grammar group harden harfanglab has have health healthcare here high highly host https://harfanglab https://sip hunting identified identifies identify impact implement include including india industries infection information install installation installations instances intelligence interaction internet investigation io/en/insidethelab/muddywater iran iranian israel italy its laterally learning least legitimate let level levels leverages leveraging likely links listing logos machine maintain majority malicious malware management managment mango messages mfa microsoft middle might ministry mitigations mois monitoring more move muddywater names nation network new non north not note: observed october offers office only operations organization organizations organize originate other over password passwords past payloads perimeter persistence personal phishing policies poor possible practices primarily prior proactive product profiles/36949e052b63fa06ee586aef3d1fec8dd2e1b567e231d88c28c16299f9b25340 protection protections provides public publisher rapidly read realistic recommendations recommended recommends reconnaissance reduce references registered rely remonte remote researchers reset review rmm rmms rport rule safe sandstorm scam screen searching section sectors secure security see seen sensitive services settings sharing should signed simplehelp simulated simulator since sites smartscreen snapshot software solutions sought spearphishing specific specify spelling splashtop spoofed state strategic subsequently support supports surface syncro system systems tailored target targeted targets techniques technology telecommunications tends testing them these threat ties tools tools tracked tracks training transportation trial trust turn types typically türkiye unapproved unknown unsolicited untrusted upon urls use used users uses using utilizing value variants victim volume want warranted wdac web websites well where which windows yet your in |
| Tags | Threat Malware Tool Commercial Medical |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.