#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Get the Free Newsletter
SaaS Security

MuddyWater | Breaking Cybersecurity News | The Hacker News

Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa

Iranian Hackers Using MuddyC2Go in Telecom Espionage Attacks Across Africa

Dec 19, 2023 Cyber Espionage / Cyber Attack
The Iranian nation-state actor known as  MuddyWater  has leveraged a newly discovered command-and-control (C2) framework called MuddyC2Go in its attacks on the telecommunications sector in Egypt, Sudan, and Tanzania. The Symantec Threat Hunter Team, part of Broadcom, is  tracking  the activity under the name Seedworm, which is also tracked under the monikers Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Static Kitten, TEMP.Zagros, and Yellow Nix. Active since at least 2017,  MuddyWater  is assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS), primarily singling out entities in the Middle East. The cyber espionage group's use of  MuddyC2Go  was first highlighted by Deep Instinct last month, describing it as a Golang-based replacement for  PhonyC2 , itself a successor to MuddyC3. However, there is evidence to suggest that it may have been employed as early as 2020. While the full extent of MuddyC2Go'
From MuddyC3 to PhonyC2: Iran's MuddyWater Evolves with a New Cyber Weapon

From MuddyC3 to PhonyC2: Iran's MuddyWater Evolves with a New Cyber Weapon

Jun 29, 2023
The Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called  PhonyC2  that's been put to use by the actor since 2021. Evidence shows that the custom made, actively developed framework has been leveraged in the  February 2023 attack on Technion , an Israeli research institute, cybersecurity firm Deep Instinct said in a report shared with The Hacker News. What's more, additional links have been unearthed between the Python 3-based program and other attacks carried out by MuddyWater, including the  ongoing exploitation of PaperCut servers . "It is structurally and functionally similar to  MuddyC3 , a previous MuddyWater  custom C2 framework  that was written in Python 2," security researcher Simon Kenin said. "MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection." MuddyWater, also known as Mango Sandstorm (previously Mercury), is a cyber
Cybersecurity Tactics FinServ Institutions Can Bank On in 2024

Cybersecurity Tactics FinServ Institutions Can Bank On in 2024

Feb 14, 2024Financial Security / Cyber Threats
The landscape of cybersecurity in financial services is undergoing a rapid transformation. Cybercriminals are exploiting advanced technologies and methodologies, making traditional security measures obsolete. The challenges are compounded for community banks that must safeguard sensitive financial data against the same level of sophisticated threats as larger institutions, but often with more limited resources. The FinServ Threat Landscape Recent trends show an alarming increase in sophisticated cyber-attacks. Cybercriminals now deploy advanced techniques like deep fake technology and AI-powered attacks, making it increasingly difficult for banks to differentiate between legitimate and malicious activities. These developments necessitate a shift towards more sophisticated and adaptive cybersecurity measures. Take these industry statistics, for example. Financial firms report 703 cyberattack attempts per week.1 On average, 270 attacks (entailing unauthorized access of data, appl
Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations

Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations

Aug 27, 2022
Iranian state-sponsored actors are leaving no stone unturned to exploit unpatched systems running Log4j to target Israeli entities, indicating the vulnerability's  long tail  for remediation. Microsoft attributed the latest set of activities to the  umbrella threat group  tracked as  MuddyWater  (aka Cobalt Ulster, Mercury, Seedworm, or Static Kitten), which is  linked  to the Iranian intelligence apparatus, the Ministry of Intelligence and Security (MOIS). The attacks are notable for using SysAid Server instances unsecured against the  Log4Shell flaw  as a vector for initial access,  marking  a  departure  from the actors' pattern of leveraging VMware applications for breaching target environments. "After gaining access, Mercury establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack," Microsoft  said . The tech gia
cyber security

The Critical State of AI in the Cloud

websiteWiz.ioArtificial Intelligence / Cloud Security
Wiz Research reveals the explosive growth of AI adoption and what 150,000+ cloud accounts revealed about the AI surge.
Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign

Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign

Mar 10, 2022
The Iranian state-sponsored threat actor known as MuddyWater has been attributed to a new swarm of attacks targeting Turkey and the Arabian Peninsula with the goal of deploying remote access trojans (RATs) on compromised systems. "The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage, intellectual property theft, and deploy ransomware and destructive malware in an enterprise," Cisco Talos researchers Asheer Malhotra, Vitor Ventura, and Arnaud Zobec  said  in a report published today. The group, which has been active since at least 2017, is known for its attacks on various sectors that help further advance Iran's geopolitical and national security objectives. In January 2022, the U.S. Cyber Command attributed the actor to the country's Ministry of Intelligence and Security (MOIS). MuddyWater is also believed to be a "conglomerate of  multiple teams  operating independently rather than a single threat actor group,&q
Iran's MuddyWater Hacker Group Using New Malware in Worldwide Cyber Attacks

Iran's MuddyWater Hacker Group Using New Malware in Worldwide Cyber Attacks

Feb 25, 2022
Cybersecurity agencies from the U.K. and the U.S. have laid bare a new malware used by the Iranian government-sponsored advanced persistent threat (APT) group in attacks targeting government and commercial networks worldwide. "MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors," the agencies  said . The joint advisory comes courtesy of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF), and the U.K.'s National Cyber Security Centre (NCSC). The cyberespionage actor was  outed this year  as conducting malicious operations as part of Iran's Ministry of Intelligence and Security (MOIS) targeting a wide range of government and private-sector organizations, including telecommunications, defense, local government, and oil and natural gas sectors, in Asia, Afric
Researchers Uncover New Iranian Hacking Campaign Targeting Turkish Users

Researchers Uncover New Iranian Hacking Campaign Targeting Turkish Users

Feb 01, 2022
Details have emerged about a previously undocumented malware campaign undertaken by the Iranian MuddyWater advanced persistent threat (APT) group targeting Turkish private organizations and governmental institutions. "This campaign utilizes malicious PDFs, XLS files and Windows executables to deploy malicious PowerShell-based downloaders acting as initial footholds into the target's enterprise," Cisco Talos researchers Asheer Malhotra and Vitor Ventura  said  in a newly published report. The  development  comes as the U.S. Cyber Command, earlier this month,  linked the APT  to the Iranian Ministry of Intelligence and Security (MOIS). The intrusions, which are believed to have been orchestrated as recently as November 2021, were directed against Turkish government entities, including the Scientific and Technological Research Council of Turkey ( TÜBİTAK ), using weaponized Excel documents and PDF files hosted on attacker-controlled or media-sharing websites. These mal
Cybersecurity Resources