Go to listing page

New DEV-1084 Group Linked With MuddyWater, Carries Out Destructive Attacks

New DEV-1084 Group Linked With MuddyWater, Carries Out Destructive Attacks
The Iran-based nation-state threat group MuddyWater (aka Mercury) is know for targeting on-premise and cloud infrastructure . In the recent ingoing attacks, it pretends to be a ransomware operation, however, carries a hidden agenda of wiping out systems. For these destructive attacks on the hybrid environment, it has partnered with a new and emerging threat actor called DEV-1084.

What’s happening?

According to a report by the Microsoft Threat Intelligence team, the joint campaign attempts to carry out attacks under the guise of ransomware attacks. However, the ultimate goal is to perform mass destruction of resources.
  • MuddyWater group (aka Boggy Serpens, Earth Vetala, and Cobalt Ulster) possibly gains initial access by exploiting vulnerabilities in unpatched applications such as Log4j 2, which is later granted to DEV-1084 for further actions.
  • DEV-1084 performs extensive discovery and reconnaissance, establishes persistent access, and carries out lateral movement across the network, often for several months.

Attack details

During the discovery phase, DEV-1084 abuses the compromised credentials from high-privilege accounts for the next phase of attacks.
  • It encrypts all the connected on-premise devices and deletes all accessible cloud-based resources, including server farms, storage accounts, virtual machines, and virtual networks.
  • It accesses the email inboxes via Exchange Web Services and uses it to send spam emails to other employees and other external contacts, impersonating a high-ranking employee.
  • Moreover, it performs additional malicious activities, such as installing web shells and remote access tools (RPort, Ligolo, and eHorus), adding new user accounts, privilege escalation, credential theft, and network discovery using native Windows tools and commands (netstat and nltest).

Connection between DEV-1084 and MuddyWater

Researchers identified several common factors, including use of the same infrastructure, IP addresses, and tools, hinting toward a connection between the two groups. 
  • An IP address (146.70.106[.]89) and a domain name (vatacloud[.]com) used by  DEV-1084 have been linked to MuddyWater in past attacks.
  • DEV-1084 further uses MULLVAD VPN, Rport tool, and a custom developer version of the reverse tunneling tool Ligolo, which are all known to be used by MuddyWater.

The bottom line

MuddyWater is already believed to be a supergroup, comprising several sub-groups working under it. Its coordinated attack campaign with DEV-1084 is believed to be another step in the same approach, where the supergroup assigns dedicated tasks to the sub-groups, sharing a pool of infrastructure and resources. Further, DEV-1084 seems to be espionage-specialized group with skills in network propagation and data theft.

To protect against such vibrant threats, experts recommend having an in-depth defense strategy, complemented by a reliable and tested incident response plan.
Cyware Publisher

Publisher

Cyware