MuddyWater APT Exploits MSP Tools to Target Global Victims
Iran-backed cyberespionage group MuddyWater has launched a new campaign targeting victims worldwide, with a focus on telecommunications, government organizations, and the oil, gas, and energy sectors. ESET telemetry from Q4 2022 reveals that the group compromised four victims—three in Egypt and one in Saudi Arabia—through the abuse of SimpleHelp, a legitimate remote access tool (RAT) used by Managed Service Providers (MSPs).
MuddyWater operators deployed Ligolo, a reverse tunnel, to connect victims’ systems to their Command and Control (C&C) servers when SimpleHelp was on their disks. The group also used MiniDump, CredNinja, and a new version of their password dumper MKL64. ESET detected the MuddyWater APT group deploying a custom reverse tunneling tool to the Saudi Arabian victim in late October 2022, although its purpose remains unclear.
The group has also been known to use steganography to obfuscate data in digital media and VBA macros attacks through malicious Microsoft Office files. These attacks are typically delivered as email attachments, disguised as important information relevant to the recipient.
MSPs face a unique challenge as they require trusted network connectivity and privileged access to customer systems to provide services, meaning they accumulate risk and responsibility for a large number of clients. MSP admins manage the very threat vectors carrying threats to the networks they oversee, while SOC teams may or may not have their own EDR/XDR tools well configured to identify potential threats.
Extended Detection and Response (XDR) tools have become essential in providing visibility into MSP environments and customer endpoints, devices, and networks. Mature MSPs that manage XDR effectively are better positioned to counter diverse threats, including APT groups targeting clients’ positions in physical and digital supply chains.
As defenders, SOC teams and MSP admins are responsible for maintaining visibility into both internal and client networks. Clients should be concerned about their MSPs’ security stance and understand the threats they face, as a compromise of their provider could lead to their own systems being compromised.
In summary, the MuddyWater APT group has shifted its focus to MSPs, exploiting legitimate remote access tools and employing various tactics to compromise its targets. The need for visibility in MSP environments is critical, and the effective use of XDR tools can significantly bolster security efforts. Clients must understand the risks associated with their MSPs and ensure the latter adopt strong security practices to minimize potential threats.
