MuddyWater is taking advantage of old vulnerabilities

For a detailed advisory, download the pdf file here.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) have issued a joint advisory to warn organizations about an APT State sponsored Actor exploiting old Fortinet and proxyshell vulnerabilities. Since late March 2021, this APT Iranian State sponsored Actor (MuddyWater) has been breaching vulnerable networks by exploiting Fortinet vulnerabilities. The Hive Pro threat Research team has issued a detailed and in depth advisory for the same. Now, in October 2021, MuddyWater is getting initial access to the susceptible system by exploiting the well known ProxyShell Vulnerability (CVE 2021 34473). It is recommended that organizations patch these vulnerabilities as soon as available. The Tactics and Techniques used by MuddyWater are: TA0042 – Resource Development T1588.001 – Obtain Capabilities: Malware T1588.002 – Obtain Capabilities: Tool TA0001 – Initial Access T1190 – Exploit Public Facing Application TA0002 – Execution T1053.005 – Scheduled Task/Job: Scheduled Task TA0003 – Persistence T1136.001 – Create Account: Local Account T1136.002 – Create Account: Domain Account TA0004 – Privilege Escalation TA0006 – Credential Access TA0009 – Collection T1560.001 – Archive Collected Data: Archive via Utility TA0010 – Exfiltration TA0040 – Impact T1486 – Data Encrypted for Impact

Actor Details

Vulnerability Details

Indicators of Compromise (IoCs)

Patch Link

https://kb.fortinet.com/kb/documentLink.do?externalID=FD37033

http://www.securityfocus.com/bid/108693

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-34473

References

https://us-cert.cisa.gov/ncas/alerts/aa21-321a