Iran-Linked MuddyWater Hackers Target U.S. Networks with New Dindoor Backdoor

MuddyWater Hacking Operation

A recent investigation by Broadcom’s Symantec and Carbon Black Threat Hunter Team has uncovered evidence of a sophisticated hacking operation attributed to the Iranian threat group known as MuddyWater.

Targets and Methods

The group has been found to have infiltrated the networks of several U.S. companies, including banks, airports, and a software company with ties to the defense and aerospace industries.

The attacks, which have also targeted a Canadian non-profit organization, have been designed to deploy a previously unknown backdoor dubbed Dindoor.

This backdoor leverages the Deno JavaScript runtime for execution, allowing the attackers to maintain a persistent presence within the compromised networks.

Additional Backdoors and Threat Actors

In addition to the Dindoor backdoor, the researchers also discovered a separate Python-based backdoor called Fakeset, which was found in the networks of a U.S. airport and a non-profit organization.

Although Fakeset was not observed on the targeted networks, the use of the same certificates suggests that the same actor, namely Seedworm, was responsible for the activity.

MuddyWater Group’s Tactics and Techniques

The MuddyWater group’s tactics, techniques, and procedures (TTPs) have been observed to be increasingly sophisticated in recent years, with a strong emphasis on social engineering capabilities, including spear-phishing campaigns and “honeytrap” operations.

These TTPs have been used to gain access to accounts or sensitive information, highlighting the need for organizations to bolster their cybersecurity posture and strengthen their monitoring capabilities.

Escalating Conflict and Increased Cyber Attacks

The findings come amid an escalating military conflict in the region, which has triggered a surge in cyber attacks.

Recent research has uncovered the pro-Palestinian hacktivist group Handala Hack (aka Void Manticore) routing its operations through Starlink IP ranges to probe externally facing applications for misconfigurations and weak credentials.

Iran-Nexus Adversaries and Camera Exploitation

Multiple Iran-nexus adversaries, including Agrius (aka Agonizing Serpens, Marshtreader, and Pink Sandstorm), have also been observed scanning for vulnerable Hikvision cameras and video intercom solutions using known security flaws.

The exploitation attempts against IP cameras have witnessed a surge in Israel and Gulf countries, including the U.A.E., Qatar, Bahrain, and Kuwait, as well as Lebanon and Cyprus.

Warnings and Advisories

The Canadian Centre for Cyber Security (CCCS) has issued an advisory warning that Iran is likely to use its cyber apparatus to stage retaliatory attacks against critical infrastructure and information operations to further the regime’s interests.

Active Wiper Campaigns and Recommended Mitigations

Active wiper campaigns are currently underway against Israeli energy, financial, government, and utilities sectors, with Iran’s wiper arsenal including 15+ families of malware.

A massive #OpIsrael cyber campaign involving pro-Russian and pro-Iranian actors has targeted Israeli industrial control systems (ICS) and government portals across Kuwait, Jordan, and Bahrain.

Organizations are advised to remain on high alert for potential cyber response as the conflict continues and activity may move beyond hacktivism and into destructive operations.

To mitigate these risks, organizations should strengthen their monitoring capabilities, limit exposure to the internet, disable remote access to operational technology (OT) systems, enforce phishing-resistant multi-factor authentication (MFA), implement network segmentation, take offline backups, and ensure that all internet-facing applications, VPN gateways, and edge devices are up-to-date.

About Author

Vaibhav

See author's posts