A recent report from ESET showed that MuddyWater, a cyberespionage group linked to Iran’s Ministry of Intelligence and Security, has begun a new campaign that targets managed service providers (MSPs) and their customers. The group has been active since at least 2017 and primarily targets victims in the Middle East, Asia, Africa, Europe, and North America. Their focus is on telecommunications companies, governmental organizations, and the oil and gas and energy verticals.
In October 2022, SimpleHelp, a legitimate remote access tool (RAT) and remote support software used by MSPs, was abused to compromise four victims, three in Egypt and one in Saudi Arabia. This development highlights the importance of visibility for MSPs, who deploy hundreds or even thousands of different software types. They have no choice but to employ automation and ensure that their security operations center (SOC) teams, customer-facing security admins, and detection and response processes are mature and constantly improving.
When SimpleHelp was present on a victim’s disk, MuddyWater operators deployed Ligolo, a reverse tunnel, to connect the victim’s system to their Command and Control (C&C) servers. ESET discovered these findings and reached out to the MSP to find out how MuddyWater came into possession of the MSP’s tooling or entered the MSP’s environment.
While this campaign continues, MuddyWater’s use of SimpleHelp has successfully obfuscated the MuddyWater C&C servers thus far, as the commands to initiate Ligolo from SimpleHelp have not been captured. MuddyWater operators are also pushing MiniDump (an lsass.exe dumper), CredNinja, and a new version of the group’s password dumper MKL64.
ESET has also tracked other techniques connected to the group, such as steganography, which obfuscates data in digital media such as images, audio tracks, video clips, or text files. A 2018 report from ClearSky Cyber Security, MuddyWater Operations in Lebanon and Oman, also documents this usage, sharing hashes for malware hidden in several fake resumes – MyCV.doc. ESET detects the obfuscated malware as VBA/TrojanDownloader.Agent.
MSPs require trusted network connectivity and privileged access to customer systems to provide services, which means they accumulate risk and responsibility for large numbers of clients. Clients can also inherit risks from their chosen MSP’s activity and environment. This has shown that extended detection and response (XDR) is a critical tool in supplying visibility into both their own environments and customer endpoints, devices, and networks to ensure that emerging threats, risky employee behavior, and unwanted applications do not put their profits or reputation at risk.
The mature operation of XDR tools by MSPs also communicates their active role in providing a specific layer of security for the privileged access granted to them by clients. When mature MSPs manage XDR, they are in a much better position to counter a diversity of threats, including APT groups that might seek to leverage their clients’ position in both physical and digital supply chains. As defenders, SOC teams and MSP admins carry a double burden, maintaining internal visibility and visibility into clients’ networks. Clients should be concerned about the security stance of their MSPs and understand the threats they face, lest a compromise of their provider leads to a compromise of themselves.
In conclusion, MSPs and their customers are facing growing threats of cyberespionage from groups like MuddyWater, and it is therefore crucial that MSPs maintain visibility over their networks and client endpoints to ensure their security. The use of XDR tools can provide the necessary visibility, allowing MSPs to mitigate the risks of data breaches and other cyber threats. By recognizing the importance of cybersecurity and taking proactive steps to protect their networks, MSPs can provide more secure and reliable services to their clients.