Saturday, October 12, 2024
HomeCyber AttackMERCURY - A Destructive Operation From Iranian Hackers Wipe Cloud Environments

MERCURY – A Destructive Operation From Iranian Hackers Wipe Cloud Environments

Published on

Malware protection

MERCURY, an Iranian nation-state group, has recently been detected by Microsoft’s Threat Intelligence team operating under the guise of a ransomware attack in hybrid environments.

Since 2017, MERCURY has been conducting espionage campaigns against targets in the Middle East, and this state-sponsored group is financially motivated.

In their current ongoing operation, they are actively targeting both on-premises and cloud environments. As a result of the unrecoverable actions, the operation’s primary objectives were destruction and disruption.

- Advertisement - SIEM as a Service

The U.S. government has publicly connected MuddyWater (aka MERCURY) to the Ministry of Intelligence and Security (MOIS), a government agency in Iran linked to this group.

Other Names of MERCURY

While the cybersecurity community has tracked this group under several names, we have listed them below:-

  • Boggy Serpens
  • Cobalt Ulster
  • Earth Vetala
  • ITG17
  • MuddyWater
  • Seedworm
  • Static Kitten
  • TEMP.Zagros
  • Yellow Nix

Microsoft found that MERCURY partnered with DEV-1084, a known cyber-espionage group, to execute lethal attacks. DEV-1084 acted after MERCURY gained access to the target environment.

Links Between DEV-1084 and MERCURY

Here below, we have mentioned all the key links between DEV-1084 and MERCURY:-

  • DEV-1084 was observed sending threatening emails from an IP address (146.70.106[.]89) linked to MERCURY.
  • DEV-1084 used the same VPN provider (MULLVAD VPN), historically used by MERCURY.
  • DEV-1084 used Rport and a customized version of Ligolo, the tools that MERCURY also used in previous attacks.
  • DEV-1084 used the vatacloud[.]com domain for command and control (C2) during the incident is the same domain that MERCURY operators control.

Technical Analysis

In Microsoft’s assessment, it has been observed that the MERCURY operators have exploited an unpatched internet-facing device to access the targets. DEV-1084 was then given access by Mercury to carry out the work.

Once the threat actors gain access, they use various tools and techniques to maintain persistence. At the same time, this allows them to maintain access to the compromised devices over an extended period.

After implementing this whole proceeding, the threat actors get the following abilities:-

  • Installing web shells
  • Adding a local user account and elevating privileges to the local administrator
  • Installing legitimate remote access tools, such as RPort, Ligolo, and eHorus
  • Installing a customized PowerShell script backdoor
  • Stealing credentials

After compromising the highly privileged credentials, DEV-1084 subsequently exploited it to encrypt on-premise devices and delete large amounts of cloud elements like:-

  • Server farms
  • Virtual machines
  • Storage accounts
  • Virtual networks

Moreover, the malicious actors ultimately control email inboxes by exploiting the Exchange Web Services. Here, they utilize this access to carry out many search operations.

Through this, they detect the identity of a prominent organization member, enabling them to transmit messages to internal and external addressees.

The above-mentioned actions were estimated to have occurred over approximately three hours between 12:38 am in the morning and 3:21 am in the morning, which is the ending time.

DEV-1084, as of right now, cannot be confirmed to be an autonomous threat actor, nor can there be any concrete evidence to support the claim that it operates alongside other Iranian threat actors.

Struggling to Apply The Security Patch in Your System? – 

Related Read:

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...