Iranian hackers contracted by the country’s Islamic Revolutionary Guard Corps targeted prominent Israeli companies in a series of ransomware attacks last month, known to be muddywater exposed by Microsoft last month
Dubbing the Iranian effort “Operation Quicksand,” the Clearsky and Profero cybersecurity firms said they “uncovered the first known instance of a potentially destructive attack executed by MuddyWater, focusing on prominent organizations in Israel and in other countries around the world.”
The firms said they identified and thwarted the attacks before any harm could be inflicted, but were now raising an alarm to the methods used, indicating that they could have been employed in earlier hacking attacks that might have gone unnoticed.
The names of the Israeli firms targeted in the ransomware attacks were not identified in the report, ostensibly for security reasons.
Researchers identified two primary attack vectors:
- The first vector entailed sending a malicious decoy document (PDF or Excel) that communicates over OpenSSL with a malicious C2 server and downloads files, which later deploy the “PowGoop” payload.
- The second vector involves exploiting CVE-2020-0688 and deploying the same payload via aspx file (WebShell). The attacker will create an internal socket tunneling between compromised machines in the network. The attacker used a modified SSF (Socket) for it. Then, the attacker downloads the PowGoop as well. Recently, Microsoft revealed that MuddyWater had been leveraging the ZeroLogon vulnerability as well (CVE-2020-1472).