MuddyWater is taking advantage of old vulnerabilities

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC) have issued a joint advisory to warn organizations about an APT State sponsored Actor exploiting old Fortinet and proxyshell vulnerabilities.
Since late March 2021, this APT Iranian State sponsored Actor (MuddyWater) has been breaching vulnerable networks by exploiting Fortinet vulnerabilities. The Hive Pro threat Research team has issued a detailed and in depth advisory for the same.
Now, in October 2021, MuddyWater is getting initial access to the susceptible system by exploiting the well known ProxyShell Vulnerability (CVE 2021 34473).
It is recommended that organizations patch these vulnerabilities as soon as available.
The Tactics and Techniques used by MuddyWater are:
TA0042 – Resource Development
T1588.001 – Obtain Capabilities: Malware
T1588.002 – Obtain Capabilities: Tool
TA0001 – Initial Access
T1190 – Exploit Public Facing Application
TA0002 – Execution
T1053.005 – Scheduled Task/Job: Scheduled Task
TA0003 – Persistence
T1136.001 – Create Account: Local Account
T1136.002 – Create Account: Domain Account
TA0004 – Privilege Escalation
TA0006 – Credential Access
TA0009 – Collection
T1560.001 – Archive Collected Data: Archive via Utility
TA0010 – Exfiltration
TA0040 – Impact
T1486 – Data Encrypted for Impact