"Microsoft: Iranian Gov Hackers Caught in Azure Wiper Attacks"

Microsoft recently warned that Iranian advanced persistent threat (APT) actors MuddyWater and DEV-1084 had been observed launching destructive cyberattacks disguised as ransomware.  Also tracked as Mercury, Seedworm, and Static Kitten and known to be launching espionage campaigns against targets in the Middle East since at least 2017, MuddyWater was officially linked by the U.S. government to Iran's Ministry of Intelligence and Security.  DEV-1084, which claims to be a financially motivated cybercriminal group operating under the DarkBit persona, is connected to MuddyWater, if not a subgroup of the APT.  Microsoft stated that DEV-1084 was seen using an IP address and a VPN provider historically associated with MuddyWater, using tools previously used by the APT and using a domain believed to be controlled by MuddyWater.  Microsoft found that Mercury gains access to the targets through remote exploitation of an unpatched internet-facing device.  Mercury then hands off access to DEV-1084.  It is unclear if DEV-1084 operates independently of Mercury and works with other Iranian actors or if DEV-1084 is an "effects based" sub-team of Mercury that only surfaces when Mercury operators are instructed to carry out a destructive attack.  Microsoft noted that following the initial compromise, the adversary deploys web shells, creates administrative user accounts, installs legitimate tools for remote access (including eHorus, Ligolo, and RPort), installs a PowerShell script backdoor, and steals credentials.  After establishing persistence, the threat actor performs reconnaissance and lateral movement, using remote scheduled tasks to launch the backdoor, Windows Management Instrumentation (WMI) to execute commands, and remote services to run PowerShell commands.  The attackers were also caught abusing compromised Azure Active Directory (Azure AD) accounts that had "global administrator" privileges to perform destructive actions, deleting within a few hours server farms, virtual machines, storage accounts, and virtual networks.  Microsoft stated that the attacker's goal was to cause data loss and a denial of service (DoS) of the target's services.  In some cases, the hackers were seen deploying tunneling tools such as Ligolo and OpenSSH to hide command-and-control (C&C) communication.  Microsoft also observed the attackers using high-privileged credentials and domain controller access to carry out on-premises destructive operations and prepare for large-scale encryption.

SecurityWeek reports: "Microsoft: Iranian Gov Hackers Caught in Azure Wiper Attacks"