According to a joint release by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber Command Cyber National Mission Force (CNMF), and the United Kingdom’s National Cyber Security Centre (NCSC) they have witnessed an Iranian government-sponsored campaign known as MuddyWater. The goal of this campaign is to deploy malware and steal passwords from multiple organizations, industries, and countries around the globe. The group typically uses a phishing lure to begin their attack and tries to coax an employee of the target company to download an Excel file with malicious macros. From there, the threat actors used various types of malware to infect the company and steal sensitive data including passwords. Threat actors have also been seen using old vulnerabilities to make their way into networks and download malware. The different types of malware used can be found in the source article.
Analyst Notes
These tactics are not uncommon and security training should include ways to prevent these attacks from happening. This includes training employees on how to spot a phishing email and to always have macros disabled and to only enable them when the document comes from a trusted source. Companies should also know that old vulnerabilities are always targeted by threat actors that can prey on companies that do not download security patches. These should be downloaded as soon possible and be tested to ensure they do not affect any other systems within the organization. In the event that the threat actor is successful in stealing passwords, utilizing Multi-Factor Authentication (MFA) for all accounts within an organization can help prevent the threat actor from logging in with the stolen password. If possible, MFA should be set up with a trusted third-party application and not through SMS, as threat actors can intercept the SMS MFA codes that are sent to the employees’ devices.
https://www.zdnet.com/article/irans-hackers-are-using-these-tools-to-steal-passwords-and-deliver-ransomware-say-fbi-and-cisa/
