APT groups are muddying the waters for MSPs.

ESET Telemetry has seen the launch of a new campaign from Q4 2022. Muddy waterA cyberespionage group linked to Iran’s Ministry of Intelligence and Security (MOIS) and operating since at least 2017. The group (primarily) targets victims in the Middle East, Asia, Africa, Europe, and North America, including telecommunications companies, government organizations, and oil and gas and energy firms.

For the reader interested in MSP, what stands out in their October 2022 campaign is the fact that four victims, three in Egypt and one in Saudi Arabia, were exposed to abuse. Easy helpLegal Remote Access Tool (RAT) and remote support software used by MSPs. This growth highlights the importance of visibility for MSPs. They have no choice but to employ automation in deploying hundreds or even thousands of types of software and ensure that SOC teams, customer-facing security managers, and search and response processes are mature and constantly evolving.

Good tools for bad guys?

ESET Research deploys Muddy Water operators when SimpleHelp was on the victim’s disk. To be strongA reverse tunnel to connect the victim system to command and control (C&C) servers. It is not known how or when MuddyWater acquired MSP’s equipment or entered the MSP area. We have found MSP.

As this campaign continues, MuddiWater’s use of SimpleHelp has so far successfully hidden MuddyWater’s C&C servers – commands to launch Ligolo from SimpleHelp have not been captured. Regardless, we can already notice that MuddyWater operators are also advancing MiniDump (an lsass.exe dumper) CredninjaAnd the team password dumper MKL64 new version.

In late October 2022, ESET found MuddyWater deploying a custom anti-tunneling tool against a similar victim in Saudi Arabia. Although the purpose is not immediately clear, the analysis continues, and the progress can be tracked in us Personal APT reports.

Alongside using MiniDump with Environmental Protection Subsystem Service (LSSS) bins and using CredNinja’s penetration testing tool, MuddyWater sports other strategies and techniques, such as popular ones. MSP tools from ConnectWise to access the victim’s systems.

ESET also pursued other techniques related to the group, such as steganography, which hides information in digital media such as images, audio tracks, video clips or text files. A 2018 report from ClearSky Cyber ​​Security, Muddy Water works in Lebanon and OmanAs well as this usage, the hash is hidden in several fake reports sharing malware – MyCV.doc. ESET detects the hidden malware as VBA/TrojanDownloader.Agent.

Four years have passed since the publication of the ClearSky report, and the rate of ESET detections has fallen from seventh place (from 3.4%) in the T3 2021 threat report to their latest position in the “last” position (from 1.8%) in T3. 2022 Threat Report, VBA/TrojanDownloader.Agent remains in our top 10 malware detection chart.

Attacks of VBA macros Use maliciously crafted Microsoft Office files and attempt to exploit users (including MSP employees and customers) to enable the execution of macros. If enabled, the blocked malicious macro typically downloads and executes additional malware. These malicious documents are often sent as email attachments disguised as important information relevant to the recipient.

A call to action for MSPs and enterprises

MSP Admins who configure leading productivity tools like Microsoft Word/Office 365/Outlook, keep their hands on the threat vectors that pose a threat to the networks they manage. At the same time, SOC team members may or may not have their own EDR/XDR tools well-configured to detect whether a group like MuddyWater or criminal entities are trying to use techniques including steganography to access their own or customers’ systems.

MSPs need both Trusted network connection and exclusive access to customer systems to provide services; This means that you accumulate risk and responsibility for many customers. Importantly, customers can inherit risks from the activity and environment of the MSP they choose. This proves that XDR is a critical tool to prevent threats, risky employee behavior and unwanted applications from endangering their profits and reputation across their environments and customers’ endpoints, devices and networks. The mature use of XDR tools by MSPs informs their active role in providing specific protection coverage for specific services provided by customers.

When mature MSPs manage XDR, they are in a better position to deal with a variety of threats, including APT teams seeking to leverage their customers’ positions in both physical and digital supply chains. As defenders, SOC teams and MSP administrators bear the dual burden of maintaining internal visibility and visibility of the customer network. Customers should be concerned about MSPs’ security posture and understand the threats they face, lest their supplier’s compromises lead to their own compromises.