Iran-aligned hacker group, MuddyWater’s latest phishing campaign deploying the new Syncro remote administration tool is causing all kinds of trouble. This text shares details about the phishing campaign, who MuddyWater is, the hacker group’s previous attacks, the latest changes, Syncro’s capabilities, how the attack campaign works, and how to protect against it.
There is a novel phishing campaign utilizing legitimate corporate accounts for phishing emails. MuddyWater, a hacking group associated with Iran’s MOIS (Ministry of Intelligence and Security), has been using compromised email accounts from genuine organizations for a large-scale phishing campaign that is paired with a remote administration tool.
The group has used similar tools in the past but has changed its tactics multiple times, coming to its most severe one. Here is everything you need to know about the MuddyWater phishing campaign and its RAT, Syncro.
Who is MuddyWater?
Also known as Boggy Serpens, Earth Vetala, Seedworm, and Cobalt Ulster, MuddyWater is a hacker group that primarily targets the Middle East and surrounding nations like India. The hacker group has been causing trouble since 2017, and its threat actors are known for their slowly evolving PowerShell-based backdoor that is continually incremented in its capability from time to time. The hacker group has also targeted the USA in the past, along with Central and West Asian countries.
MuddyWater’s Previous Attacks
MuddyWater has been conducting significant spear-phishing campaigns in the United Arab Emirates, Saudi Arabia, Israel, and Azerbaijan. These included:
Phishing Emails:As Earth Vetala, the hacking group sent spear-phishing emails and lure documents. These documents and phishing emails contained URLs (Uniform Resource Locators) that led the victims to file-sharing services.
Malicious URLs:These malicious URLs were linked to legitimate file-sharing services from where the threat actors distributed their RAT (Remote Administration Tool), Screen Connect.
MuddyWater RAT:MuddyWater’s previous RAT, ScreenConnect, posed as a legitimate application for managing enterprise systems remotely for system administrators. ScreenConnect encompassed data encoding, email parsing, file and registry copy, HTTP/S (Hypertext Transfer Protocol Secure) connection support, native command line, and process and file execution capabilities.
However, researchers at Trend Microidentified multiple threat indicators and discovered that the threat actors were using post-exploration tools for password dumping. These passwords were tunneled to a threat actor-controlled C2 (Command and Control) server using open-source tools, and additional infrastructure on targeted systems was established for persistent presence. The threat actors could extract credentials from the following.
Gather the currently logged-on user and OS version
MuddyWater’s Latest Phishing Campaign
The threat research team at Deep Instinct has been closelyanalyzing the cybercriminal group’s latest phishing campaign that has been targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and United Arab Emirates.
Phishing
The latest phishing activity was observed in October and is notable for the threat actors due to the usage of a new RAT named Syncro. Just like the previous one, the latest MuddyWater phishing campaign utilizes compromised legitimate corporate accounts.
However, these phishing emails contain a new lure in the form of an HTML (Hyper Text Markup Language). The threat actors have been posing as Egyptian hosting service providers and organizations, Israeli Healthcare, and more.
Since the HTML attachment is not an archive or executable, it does not raise any victim’s suspicions, as HTML is overlooked while preparing the workforce for phishing education and phishing awareness training.
Syncro
Syncro is a highly sophisticated RAT that allows MuddyWater’s threat actors to take control of the victim’s devices remotely. However, MuddyWater is not the only threat actor utilizing this tool. Syncro has been observed in Luna Moth and BatLoader campaigns as well.
Syncro is a platform packed with features aimed at helping MSPs (Managed Service Providers) run their businesses. Syncro provides MSPs with an agent for device management that comes installed with a customized MSI file and a customer ID and also comes with a 21-day trial offer that allows you to choose the subdomain.
The trial version comes with a GUI (Graphical User Interface), allowing the actor complete control over any device via RAT, a terminal with SYSTEM privileges, remote desktop access, task and service managers, and more. With Syncro, threat actors can deploy multiple backdoors, exfiltrate data, and hand off access to other threat actors, making it a significant threat.
How does MuddyWater’s Phishing Campaign Work
The phishing campaign works in three key steps, which are:
Targeted Emails:MuddyWater’s latest phishing campaign follows in the footsteps of its previous one, with threat actors practicing social engineering and sending malicious phishing emails to targeted individuals.
Malicious Attachments:Once the victim is approached, the threat actors send a phishing link to a legitimate dropbox, an HTML file connected to the cloud server, or malicious attachments leading the victim to OneHub.
ZIP Downloads: All these cloud servers or document dropboxes contain a malicious ZIP file that extracts an MSI Windows Installer that deploys Syncro on their machines.
How to Protect Against the MuddyWater Phishing Campaign?
Along with the analysis, Deep Instinct’s researchers also shared how it would be best for security teams, organizations, and individuals to monitor their machines for remote desktop solutions that are uncommon in the enterprise since they are abused more than their common counterparts.
Additionally, it would be best to provide the best phishing training to the workforce and executives alike. Here are a few ways you can ensure that your clients and the organizations are safe from phishing emails and social engineering:
SSL Certificates:Using an SSL (Secure Sockets Layer) certificate can allow organizations to secure all incoming and outgoing traffic, which means all information is protected from eavesdropping and cannot be used for social engineering.
Securely Hosted Payments:One of the best practices for 2023 and beyond is reducing risks to customer financial information by using payment gateways with the latest PCI DSS and ISO 27001 certifications. So even if your customers receive phishing emails targeted towards stealing their financial information, they are protected.
Adequate Staff Education:Educating employees is critical since they make or break any organization. Proper staff training, phishing awareness, practice simulations, and regular seminars sharing the latest revelations and phishing tactics enforce the idea in the workforce, making them better at identifying and steering clear phishing emails.
Final Words
The latest MuddyWater phishing campaign is novel, and the targeted organizations need to learn for phishing protection. Not just from the ongoing threat but from future ones. With various social engineering methods and malicious payload deployment, the latest MuddyWater phishing campaign will surely harm many more.
However, the first step in stopping any threat is knowing how it works and how it can damage you. With that covered, it would be best to follow the above guidelines to strengthen the organization against phishing attacks, and invest in automated tools and technologies and cyber insurance, to be prepared for the worst-case scenario since there are significant chances of any organization facing a cyberattack, especially phishing.
If you have a LastPass account, which you use to store login information and passwords, or you previously had one that you did not delete, your password vault might be in hackers’ hands. Read on to learn more about the story.
As we enter into 2023, cybercriminals are continuing to evolve their tactics and techniques to carry out phishing attacks. With the rise of remote working, the attack surface for phishing attacks has broadened significantly, which means it’s more important than ever for organizations to stay ahead of the curve.
In this blog post, we’ll look at the top phishing attacks of 2022 that can help you better prepare for your protection from phishing in 2023.
The ability of cybercriminals to operate from anywhere around the world and the increasing linkages between physical systems and cyberspace have led to rising cybersecurity incidents. Here are this week’s headlines to give you an idea about how threat actors continue to target individuals and organizations to infiltrate their information assets.
Cybercriminals keep updating their techniques and do not relent in targeting big organizations every day. This week was no different in cyberspace. Here are this week’s phishing and data breach headlines.
The Schoolyard Bully Trojan is a malware campaign that targets Android applications to get into victims’ devices and steal their Facebook logins. This article shares the Schoolyard Bully Trojan, how it works, its capabilities, and how you can stay protected against it.
Not a week passes by when we don’t hear about cybercriminals targeting various organizations worldwide. From compromising government websites to crippling large healthcare organizations, the following are the recent phishing and breach-related updates of this week.
Businesses take all sorts of measures to remain competitive in the marketplace, but it should not happen at the expense of violating data privacy laws. Following is the latest incident when the regulators fined Meta for not protecting the privacy of its users.
The IceXLoader malware has evolved and is striking via a phishing email, dropping the malware payload capable of advanced, evasive, and persistent system presence to exfiltrate data. This text shares IceXLoader’s history, how IceXLoader works, new features, IceXLoader attack pattern, how the IceXLoader malware can harm organizations, and what organizations need to do to stay protected.
You may hardly find an industry today that is not impacted by phishing attacks. Threat actors don’t spare anyone, be it a typical internet user or an organization with thousands of employees. This is why it is crucial to keep yourself updated about how these attacks happen to ensure you or your organization does not end up being a victim of such cyber threats. Here are threat week headlines that cover how threat actors exploit vulnerabilities and target your information assets.
The Robin Banks PhaaS platform is back with a new Russian server and a cookie stealer to bypass 2FA and compromise organizational accounts. This article shares the history of Robin Banks, attack patterns, how Robin Banks evolved, the Robin Banks cookie stealer and Russian server, how Robin Banks’s phishing kit works, and how organizations can stay protected against Robin Banks’s phishing.
Threat actors continue to target organizations worldwide to get access to their information assets. It may be challenging to anticipate a phishing attack, but one can surely learn from the attacks that have taken place to understand how these malicious actors operate and adopt anti-phishing measures accordingly. To that end, here are the phishing and breach-related updates for the week.
Scammers and hackers are exploiting the confusion regarding Twitter’s new CEO, Elon Musk’s plans for paid blue ticks on the platform. They are sending phishing emails disguised as official Twitter notices and luring users into sharing their details. This post covers the details regarding such phishing schemes.
Traditional cybersecurity measures cannot protect organizations against today’s phishing attacks as they are getting increasingly sophisticated. Thus, enterprises must take a layered approach to prevent cyber-attacks and lessen their impact when they occur. Additionally, they can learn from the latest trends in the cyber threat landscape. Here are this week’s phishing and data breach-related headlines.
Twilio has suffered a second attack, leading to the compromise of its former and current employee accounts and the loss of sensitive customer information. This text shares the details of the attack, how it happened, whether it is over, whether customers are safe, how Twilio is dealing with it, and what organizations could learn from the cyberattack.
While there are various types of data breaches, one can always attribute them to a vulnerability or a security posture gap that cybercriminals exploit to gain access to the organization’s systems. Here are this week’s phishing-related news headlines, so you can plug the vulnerabilities and prevent cybersecurity breaches.
The OpenAPI specification has grown popular in the past few years especially when it comes to documenting and describing APIs. This is fueled by the many benefits the specification offers to organizations.
Some of the notable benefits include the support the specification gets from different API management tools and the fact that organizations can generate specifications and documentation from the client side easily.
Instead of using XML elements in OpenAPI, developers are required to use JSON objects. This comes with a schema used for contents, order, and naming. The JSON file is used to describe all the parts of the API in a standard format.
What is OpenAPI Specification?
Formally known as the Swagger Specification, the OpenAPI specification can be described as an API description format used for REST APIs. With an OpenAPI file, organizations can describe their APIs. The description includes things such as;
All the available methods such as POST and GET, and endpoints such as URLs.
Apart from using the specification to document their APIs, organizations can also use it to generate client code and the required documentation. The good news is that most API management tools come with support for Opeation. This not only makes it easy to create APIs but also to maintain them.
Some main components you will find with the OpenAPI specification include security, responses, parameters, and paths. Each of these components holds arrays and properties as JSON objects.
You will get descriptions, contact, license, document version, and all the information you need about the APIs in the info field. The server field, on the other hand, describes all the endpoints used in the API.
An API can be defined as a computing interface that allows applications to communicate and share information. Due to their growing popularity, cybersecurity has become one of the biggest concerns for organizations. Cybercriminals are targeting organizations through APIs to try and steal information and data that they access.
Here are a few important security facts you need to know about the OpenAPI specification;
Where Security is Defined in OpenAPI Specification
You can define security in three different places in the OpenAPI specification. These include;
Under #/security
This is the default place where security is supposed to be defined in the OpenAPI specification. It is also supposed to match with a named security scheme that can be or will be found under #/components/securitySchemes.
If by any chance you do not define security under #/security or it is found to be an empty object, then your API will not be secured by default. This is common with small APIs that come with few endpoints open to most users. However, they define security specific to certain operations.
Under #/components/securitySchemes
This is the default place for the definition of the security options you have for your API. Smaller APIs normally come with a single option. You can set anything you want as the key name. The name you set here will be used when being referenced from anywhere else in the specification.
Type is, however, a required parameter. It can be either oauth2, HTTP, apikey, or the new openIdConnect and mutualTLS. All the other parameters change depending on the type used.
Under Certain Operations
Finally, you can set your OpenAPI security under certain operations. Again, you will use one of oauth2, HTTP, apikey, or the new openIdConnect and mutualTLS. However, this is done under a certain operation that lies on a certain path.
If you do not have security defined under certain operations, then the top-level security defined under #/security will be used by the API. This is important for APIs with operations that need to use different security parameters.
OpenAPI 3.0 Security Features
OpenAPI 3.0 comes with a dedicated part of its document known as security schemes where you are supposed to declare all security definitions. The OpenAPI specification has standardized how all the parts of the document are supposed to be declared.
This ensures that you can reuse anything declared in the security schemes across different paths without any problems. Previously in OpenAPI 2.0, the shared components were left at the mercy of developers. In OpenAPI 3.0, all of them can now be found within the components key.
In addition, OpenAPI 3.0 comes with support for OpenID Connect. Organizations are also able to include different oAuth2 flows in their security definitions. This is one of the most popular functionalities today.
OpenAPI 2.0 Security Features
OpenAPI 2.0 specification comes with a section that is dedicated to the declaration of all security requirements and features used in your API. These security features can be used anywhere in the API operations and paths.
It also comes with support for a type of security definition known as basic. This is the previous plain HTTP format of authentication.
Unfortunately, you will not find any other built-in security features with OpenAPI 2.0. You cannot even define your custom security definitions without having to use extensions provided by external vendors.
Even though this is enough for most API security requirements, it might not work well with some special cases. Understanding the security features in both OpenAPI 2.0 and 3.0 is vital in making sure that your APIs are secure.
In today’s evolving threat landscape, attackers are strengthening their social engineering efforts using human-centric activities. Follow this article to know how negligent actions led cybercriminals to one of the biggest automakers worldwide, Toyota’s server.
Taking cybercriminals lightly is no longer an option with the evolving threat landscape. One needs to be aware of what they are up to, to avoid becoming their victim. To that end, here are this week’s phishing and data breach headlines.
Individuals in the United Kingdom are targeted by sophisticated phishing campaigns to target finances and personal details, taking advantage of the rising cost of living and post-COVID changes. This article delves deep into the latest UK phishing campaign, shares key statistics, how fraudsters target brits, and how to do phishing protection.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
