The group — which has targeted Israel, Saudi Arabia, and other nations — often uses spear-phishing and legitimate remote management tools but is developing a brand-new homegrown tool set.

Source: Muhammad Toqeer via Shutterstock

Iranian cyber-espionage group MuddyWater is pivoting from controlling infected systems with legitimate remote-management software to instead dropping a custom-made backdoor implant.

As recently as April, the group infected systems by targeting Internet-exposed servers or through spear phishing, ending with the installation of the SimpleHelp or Atera remote management platforms, security-operations provider Sekoia said in an advisory. Yet, in June, the group switched to a different attack chain: sending out a malicious PDF file with an embedded link leading to a file on stored on the Egnyte service, which installs the new backdoor, dubbed MuddyRot by Sekoia.

Check Point Software noted the shift to the new tool as well. MuddyWater has been using the backdoor implant, which the firm calls BugSleep, since May, and has quickly been improving it with new features and bug fixes, says Sergey Shykevich, threat intelligence group manager at Check Point Software.

Often, they also introduce new bugs into the malware, however. "They likely realized that their tactic of utilizing remote management tools as a backdoor was not effective enough and decided to swiftly transition to homemade malware," Shykevich says. "Probably due to pressure for a rapid change, they released an incomplete version."

Iran has become a significant cyber-threat actor in the Middle East. Since at least 2018, the MuddyWater threat group has targeted a variety of government agencies and critical industries with malicious attacks, stated a 2022 advisory published jointly by US and UK government agencies. The MuddyWater group is part of the Iranian Ministry of Intelligence and Security (MOIS), with other cybersecurity firms referring to the group as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros, according to the joint advisory.

**An Attack Tool Under Construction**

The BugSleep backdoor uses typical anti-analysis tactics, such as delaying execution — that is, going to "sleep" — to avoid being detected or running in a sandbox. The backdoor also employs encryption, but in many instances the encryption was not properly executed.

The encryption issues are not the only bugs in the code. In other samples, the program creates a file — "a.txt" — and then later deletes it, apparently for no reason. These issues, plus the frequent updates, suggests the code is still under development, stated Check Point Software's advisory.

MuddyWater previously had created its own backdoor programs, such as one called Powerstats, written in PowerShell, but later shifted to using remote management (RMM) software, Sekoia's advisory noted.

"We don’t yet know why MuddyWater operators have reverted to using a homemade implant for their first infection stage in at least one campaign," the advisory stated. "It is likely that the increased monitoring of RMM tools by security vendors, following their rise in abuse by malicious threat actors, has influenced this change."

The use of a file sharing service such as Egnyte to host malicious documents has become more popular among attackers. The trial period is often sufficient enough time to give the attackers a platform to use during an attack, Check Point Software's Shykevich says.

"Numerous file-sharing platforms are utilized by attackers within their infection chains," he says. "In theory, emulating and scanning the uploaded files can reduce the malicious use, but it is quite complicated from operational and cost perspectives for the file-sharing services operators."

**"Umbrella of APTs" in the Middle East**

The lures used in the group's phishing campaigns have become simpler — focusing on "generic themes such as webinars and online course," which allows them to send out a higher volume of attacks, Check Point Software's advisory stated.

"Their sophistication level is medium, but they are a highly persistent and aggressive group from the standpoint of phishing campaigns and targeting of specific sectors or organizations," Shykevich says. "They send hundreds of malicious emails to multiple recipients in the same organization or the same sector, also doing it across different days."

MuddyWater may not be a single group, however. In 2022, Cisco's threat intelligence group, Talos, described them as an "umbrella of APT groups." The US Cybersecurity and Infrastructure Security Agency (CISA) describes the group as "a group of Iranian government-sponsored advanced persistent threat (APT) actors," in its advisory.

The group employs "spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks," CISA stated, adding, "MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors."

While the group focuses on attacking organizations in Israel and Saudi Arabia, they have also hit other nations, including India, Jordan, Portugal, Turkey, and even Azerjaiban, the advisories said.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Iranian Cyber-Threat Group Drops New Backdoor, 'BugSleep'

A Server-Side Template Injection (SSTI) vulnerability in the edit theme function of openCart project v4.0.2.3 allows attackers to execute arbitrary code via injecting a crafted payload.

**openCart Server-Side Template Injection (SSTI) vulnerability**

High severity GitHub Reviewed Published Jul 17, 2024 to the GitHub Advisory Database • Updated Jul 17, 2024

GHSA-xrh7-2gfq-4rcq: openCart Server-Side Template Injection (SSTI) vulnerability

In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.

**Roundup Cross-site Scripting Vulnerability**

Moderate severity GitHub Reviewed Published Jul 17, 2024 to the GitHub Advisory Database • Updated Jul 17, 2024

GHSA-w8vc-cwv9-wx67: Roundup Cross-site Scripting Vulnerability

Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.

GHSA-x37x-qf4v-f54f: Roundup Cross-site Scripting Vulnerability

Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.

GHSA-xjgw-ghrx-wfff: Roundup Cross-site Scripting Vulnerability

The tactic is not new, but there has been a steady increase in its use as of this spring.

Source: Chim via Shutterstock

Secure email gateways (SEG) do a lot to protect organizations from malware, spam, and phishing email. For some threat actors though, they also offer an attractive option for sneaking malicious mail past other SEGs.

Security researchers from Cofense this week reported observing a recent surge in attacks, where threat actors have used SEGs to encode or to rewrite malicious URLs embedded in their emails to potential victims. In many cases, when the emails arrived at their destination, SEGs allowed the malicious URLs to go through without properly vetting the link.

**The SEG Versus SEG Threat**

The reason, says Max Gannon, threat intelligence manager at Cofense, is that some secure email gateway products appear not to be handling SEG-encoded URLs properly and assume them to be always safe, when in reality they are not.

"We do not have access to the internals of SEGs, so I can't say for certain," Gannon says. "But they likely either implicitly trust the URLs or they attempt to scan them, but the domain of the SEG that encodes the URL is trusted, so the \[receiving\] SEG assumes the URL itself is legitimate."

In SEG encoding, a secure email gateway product essentially rewrites every URL in an outgoing email into a link that points to its own infrastructure. When a recipient clicks on the encoded link, the user is first directed to the sender's SEG system, which checks if the URL is safe before redirecting the user to the intended destination. The checks usually involve assessing the URL using reputation, blacklists, signatures, and other mechanisms, which means sometimes it might take an SEG days and even weeks before it designates a URL as malicious.

In these situations, problems can arise if the recipient's secure email gateway technology does not recognize an already encoded URL as needing scanning, or if the recipient's SEG scans the URL, but only sees the sending email gateway's domain and not the final destination.

"Oftentimes when SEGs detect URLs in emails that are already SEG-encoded they do not scan the URLs, or the scanning shows only the security tool's scanning page and not the actual destination," Cofense wrote in its report this week. "As a result, when an email already has SEG-encoded URLs, the recipient's SEG often allows the email through without properly checking the embedded URLs."

**A Substantial Increase**

Attackers have abused SEG encoding previously to sneak malicious emails into target environments. But there has been a substantial increase in use of the tactic in the second quarter of this year, May in particular. Cofense said.

According to the security vendor, the four email security gateways that threat actors have abused the most to encode URLs and sneak them past email defense mechanisms are VIPRE Email Security, Bitdefender LinkScan, Hornet Security Advanced Threat Protection URL Rewriting, and Barracuda Email Gateway Defense Link Protection.

Cofense said its researchers had observed attackers using these SEGs to encode malicious URLs in variously themed campaigns targeted at users protected by SEGs from a variety of vendors.

Gannon says some SEG encodings would require the threat actor to run their URL through the SEG. "Other encodings like Barracuda Link Protect would let you simply prepend their URL to the malicious URL you are trying to bypass with," he says. "For example, to use Barracuda Link Protect to bypass SEGs with the URL hxxp\[:\]//badplace\[.\]com/, I would simply add the Barracuda Link Protect URL and make it: hxxps://linkprotect\[.\]cudasvc\[.\]com/url?a=hxxp\[:\]//badplace\[.\]com/."

Gannon says one reason why threat actors likely aren't using the tactic on a much broader scale is because it involves additional work. "The biggest thing it comes down to is effort," he says. If a threat actor can take an hour to encode all the URLs in a campaign and reach 500 more inboxes, they could take the same hour and just find an additional 1,000 email addresses to send the campaign to."

Protecting against the tactic can be relatively difficult, as most SEGs don't have tuning methods for ignoring other SEG encodings, Gannon says. Therefore, the best way to combat the tactic remains user awareness and training. "A vigilant and informed employee is not going to click a link in a suspect email, even if the URL is encoded by a SEG."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Threat Actors Ramp Up Use of Encoded URLs to Bypass Secure Email

PRESS RELEASE

CHICAGO, July 16, 2024 /PRNewswire/ -- Research from MxD (Manufacturing x Digital), the digital manufacturing institute and the National Center for Cybersecurity in Manufacturing supported by the Department of Defense, has revealed an urgent need for the U.S. manufacturing sector to strengthen its cybersecurity posture.

The report, titled Behind the Firewall, establishes the sector's cybersecurity preparedness and finds that manufacturers are overestimating their capabilities.  

Securing U.S. manufacturing has emerged as an economic and national security priority as the manufacturing sector remains the most targeted sector worldwide for cyber-attacks. Faced with unique challenges in securing business operations against geopolitical threats, the report shares insights and strategies for manufacturers to enhance their cyber resilience.

The survey found:

*   76% of manufacturers are confident their organization can prevent cyber risks and respond to cyber-attacks
    
*   Only 34% of manufacturers have comprehensive system security plans (SSPs) in place - a fundamental cybersecurity requirement and often required for compliance
    
*   Just 43% of all manufacturers have a dedicated cybersecurity leader, such as a Chief Information Security Officer (CISO) or Director of Cybersecurity
    
    *   The disparity is stark when compared by size: 88% of large manufacturers (500+ employees) have such leaders, compared to 35% of small- and medium-sized manufacturers (fewer than 500 employees)
        
    
*   Encouragingly, 82% of manufacturers are planning to raise cybersecurity spending in the upcoming budget cycle
    

"The supply chains which support U.S. manufacturing are only as strong as their weakest link. We must strengthen at every level to ensure a resilient domestic manufacturing capability, including within the defense industrial base," said MxD CEO Berardino Baratta. "We see a sense of overconfidence in our research results, which is concerning given that everyone is at risk, from the largest multinational to small- and medium-sized manufacturers who often lack the proper resources to protect themselves from cyber-attacks."

"Manufacturing sector cyber-attacks are no longer rare, one-off events," said MxD Director of Cybersecurity Michael Tanji. "The rise in incidents shows repeated and concerted efforts to steal IP or other company data, resulting in production shutdowns, logistical delays, and more. Our manufacturing sector must stay ahead of these growing threats – and we can only do that by updating and upgrading cyber capabilities across the industry."

This survey identifies key areas where manufacturers can benefit from additional resources to strengthen their cybersecurity infrastructure. Research results were segmented by vertical sector and manufacturer size, which allows for a deeper understanding of needs and insights at all levels of the manufacturing sector. In turn, this enables MxD to develop tools, like cyber playbooks and training guides, which more effectively address sector needs. 

This report launches as MxD reaches its 10-year anniversary and underscores the imperative for strengthening U.S. manufacturing competitiveness and resiliency. As a public-private partnership, MxD convenes and collaborates with manufacturers to prepare and protect domestic supply chains against cybersecurity threats.

About MxD  
MxD (Manufacturing x Digital) advances economic prosperity and national security by strengthening U.S. manufacturing competitiveness through technology innovation, workforce development, and cybersecurity preparedness. In partnership with the Department of Defense, we convene an ecosystem to solve critical manufacturing challenges by accelerating digital adoption, empowering a skilled workforce, and modernizing supply chains. MxD is also the National Center for Cybersecurity in Manufacturing as designated by DoD. Visit mxdusa.org to learn more.

You May Also Like

MxD Research Reveals Major Disconnect Between Perceived and Actual Cybersecurity Capabilities in US Manufacturing

North Korean espionage campaign delivers updated BeaverTail info stealer by spoofing legitimate video calling service, researcher finds.

Source: Mykhailo Polenok via Alamy

Well known for targeting victims with fake job postings, North Korea state-sponsored hackers have been discovered using a new variant of their BeaverTail malware to trick macOS users into downloading a malicious version of Microtalk, a video-calling service.

Details about the latest campaign were published by cybersecurity researcher Patrick Wardle, who explained in his writeup that the threat actors likely lured their victims into downloading the updated BeaverTail-infected version of Microtalk by asking them to join a job interview.

"Yes, even the cloned site states that you can 'start your next video call with a single click. No download … is required,' but I guess, who reads the fine print?" Wardle wrote.

In addition to stealing data from the victim's device, BeaverTail also executes additional payloads, including InvisibleFerret, the report added.

"The North Korean hackers are a wily bunch and are quite adept at hacking macOS targets, even though their technique\[s\] often rely on social engineering (and thus from a technical point of view are rather unimpressive)," Wardle said.

**About the Author(s)**

DPRK Hackers Tweak Malware to Lure MacOS Users into Video Calls

Red Hat Security Advisory 2024-4579-03 - An update for git is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4579.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: git security updateAdvisory ID:        RHSA-2024:4579-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4579Issue date:         2024-07-16Revision:           03CVE Names:          CVE-2024-32002====================================================================Summary: An update for git is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.Security Fix(es):* git: Recursive clones RCE (CVE-2024-32002)* git: RCE while cloning local repos (CVE-2024-32004)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32002References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2280421https://bugzilla.redhat.com/show_bug.cgi?id=2280428

Red Hat Security Advisory 2024-4579-03

Cybersecurity researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People's Republic of Korea (DPRK) have delivered as part of prior cyber espionage campaigns targeting job seekers.
The artifact in question is an Apple macOS disk image (DMG) file named "MiroTalk.dmg" that mimics the legitimate video call service of the same name,

Cybersecurity researchers have discovered an updated variant of a known stealer malware that attackers affiliated with the Democratic People's Republic of Korea (DPRK) have delivered as part of prior cyber espionage campaigns targeting job seekers.

The artifact in question is an Apple macOS disk image (DMG) file named "MiroTalk.dmg" that mimics the legitimate video call service of the same name, but, in reality, serves as a conduit to deliver a native version of BeaverTail, security researcher Patrick Wardle said.

BeaverTail refers to a JavaScript stealer malware that was first documented by Palo Alto Networks Unit 42 in November 2023 as part of a campaign dubbed Contagious Interview that aims to infect software developers with malware through a supposed job interview process. Securonix is tracking the same activity under the moniker DEV#POPPER.

Besides siphoning sensitive information from web browsers and crypto wallets, the malware is capable of delivering additional payloads like InvisibleFerret, a Python backdoor that's responsible for downloading AnyDesk for persistent remote access.

While BeaverTail has been distributed via bogus npm packages hosted on GitHub and the npm package registry, the latest findings mark a shift in the distribution vector.

"If I had to guess, the DPRK hackers likely approached their potential victims, requesting that they join a hiring meeting, by downloading and executing the (infected version of) MiroTalk hosted on mirotalk\[.\]net," Wardle said.

An analysis of the unsigned DMG file reveals that it facilitates the theft of data from web browsers like Google Chrome, Brave, and Opera, cryptocurrency wallets, and iCloud Keychain. Furthermore, it's designed to download and execute additional Python scripts from a remote server (i.e., InvisibleFerret).

"The North Korean hackers are a wily bunch and are quite adept at hacking macOS targets, even though their technique often rely on social engineering (and thus from a technical point of view are rather unimpressive)," Wardle said.

The disclosure comes as Phylum uncovered a new malicious npm package named call-blockflow that's virtually identical to the legitimate call-bind but incorporates complex functionality to download a remote binary file while taking painstaking efforts to fly under the radar.

"In this attack, while the call-bind package has not been compromised, the weaponized call-blockflow package copies all the trust and legitimacy of the original to bolster the attack's success," it said in a statement shared with The Hacker News.

The package, suspected to be the work of the North Korea-linked Lazarus Group and unpublished about an hour and a half later after it was uploaded to npm, attracted a total of 18 downloads. Evidence suggests that the activity, comprising over three dozen malicious packages, has been underway in waves since September 2023.

"These packages, once installed, would download a remote file, decrypt it, execute an exported function from it, and then meticulously cover their tracks by deleting and renaming files," the software supply chain security company said. "This left the package directory in a seemingly benign state after installation."

It also follows an advisory from JPCERT/CC, warning of cyber attacks orchestrated by the North Korean Kimsuky actor targeting Japanese organizations.

The infection process starts with phishing messages impersonating security and diplomatic organizations, and contain a malicious executable that, upon opening, leads to the download of a Visual Basic Script (VBS), which, in turn, retrieves a PowerShell script to harvest user account, system and network information as well as enumerate files and processes.

The collected information is then exfiltrated to a command-and-control (C2) server, which responds back with a second VBS file that's then executed to fetch and run a PowerShell-based keylogger named InfoKey.

"Although there have been few reports of attack activities by Kimsuky targeting organizations in Japan, there is a possibility that Japan is also being actively targeted," JPCERT/CC said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git