Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms (Dec 10, 2018)
Researchers from Symantec have found that the Advanced Persistent Threat (APT) group "Seedworm" (also known as "MuddyWater") has been actively targeting various organisations in the Middle East and Asia with a new version of their custom backdoor "Powermud." The APT group is believed to be an Iranian cyber espionage group that works to obtain information through backdoors and custom password stealing tools, amongst others. The Powermud backdoor was observed to be on machines in Afghanistan, Armenia, Egypt, Jordan, Pakistan, Russia, Saudi Arabia, and Turkey, amongst several others. The highest infection rates were found to be in Pakistan and Turkey. Once in a network, the APT group will run a password-stealing tool to obtain passwords saved in users' web browsers and email. They then utilise open-source tools such as "LaZagne" and "Crackmapexec" to obtain Windows authorisation credentials to achieve persistence and privilege escalation in the infected network.
Recommendation: Defence-in-depth (layering of security mechanisms, redundancy, fail-safe defence processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.