MERCURY, an Iranian nation-state group, has recently been detected by Microsoft’s Threat Intelligence team operating under the guise of a ransomware attack in hybrid environments.
Since 2017, MERCURY has been conducting espionage campaigns against targets in the Middle East, and this state-sponsored group is financially motivated.
In their current ongoing operation, they are actively targeting both on-premises and cloud environments. As a result of the unrecoverable actions, the operation’s primary objectives were destruction and disruption.
The U.S. government has publicly connected MuddyWater (aka MERCURY) to the Ministry of Intelligence and Security (MOIS), a government agency in Iran linked to this group.
While the cybersecurity community has tracked this group under several names, we have listed them below:-
Microsoft found that MERCURY partnered with DEV-1084, a known cyber-espionage group, to execute lethal attacks. DEV-1084 acted after MERCURY gained access to the target environment.
Here below, we have mentioned all the key links between DEV-1084 and MERCURY:-
In Microsoft’s assessment, it has been observed that the MERCURY operators have exploited an unpatched internet-facing device to access the targets. DEV-1084 was then given access by Mercury to carry out the work.
Once the threat actors gain access, they use various tools and techniques to maintain persistence. At the same time, this allows them to maintain access to the compromised devices over an extended period.
After implementing this whole proceeding, the threat actors get the following abilities:-
After compromising the highly privileged credentials, DEV-1084 subsequently exploited it to encrypt on-premise devices and delete large amounts of cloud elements like:-
Moreover, the malicious actors ultimately control email inboxes by exploiting the Exchange Web Services. Here, they utilize this access to carry out many search operations.
Through this, they detect the identity of a prominent organization member, enabling them to transmit messages to internal and external addressees.
The above-mentioned actions were estimated to have occurred over approximately three hours between 12:38 am in the morning and 3:21 am in the morning, which is the ending time.
DEV-1084, as of right now, cannot be confirmed to be an autonomous threat actor, nor can there be any concrete evidence to support the claim that it operates alongside other Iranian threat actors.
Struggling to Apply The Security Patch in Your System? –
Related Read:
IBM has issued a security bulletin warning of two vulnerabilities in its AIX operating system…
The Apache Software Foundation has issued a security alert regarding a critical vulnerability in Apache…
The Chinese National Internet Emergency Center (CNIE) has revealed two significant cases of cyber espionage…
A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…
Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…
An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…