A Destructive Pairing with MuddyWater and DEV-1084

A collaboration between Iranian threat actor, MERCURY (aka MuddyWater) and threat actor Microsoft tracks as DEV-1084 has been observed. According to a report from the Microsoft Threat Intelligence team the two groups worked in tandem to compromise an on-premises and cloud environment. While the attackers attempted to disguise the attack as a ransomware operation, the objective was to achieve a more destructive and unrecoverable result. MuddyWater operators performed the initial breach, exploiting known vulnerabilities, and relinquishing the campaign to DEV-1084 to carry out the intrusion and the destructive portion of the attack. As analyzed by Microsoft DEV-1084 performed "extensive reconnaissance and discovery, establish persistence, and move laterally throughout the network, oftentimes waiting weeks and sometimes months before progressing to the next stage. DEV-1084 was later observed leveraging highly privileged compromised credentials to perform en masse destruction of resources, including server farms, virtual machines, storage accounts, and virtual networks, and send emails to internal and external recipients."

DEV-1084 operators utilized various techniques to maintain persistence including deploying web shells, creating a local user account, and elevating privileges. In addition to installing legitimate remote access tools like RPort, Ligolo, and eHorus, creating a customized PowerShell script backdoor, and stealing credentials. To move laterally to other hosts in the environment, DEV-1084 uses remote scheduled tasks, and Windows Management Instrumentation (WMI) to execute commands and run encoded PowerShell commands. Once the lateral movement was achieved, they deployed the same persistence mechanisms established on other machines. "Interestingly, after each main attack step, the actors did not always immediately continue their operations but would wait weeks and sometimes months before moving to the next step," as noted by Microsoft.

Prior to the ransomware deployment phase, DEV-1084 operators initiated an attack in the victim's Azure cloud environment. Where in the span of 2 hours and 43 minutes, they entered the cloud environment using a compromised account, adding, and manipulating properties to obtain elevated privileges before proceeding to delete servers and hosts. Microsoft assessed the end objective "was to cause data loss and a denial of service (DoS) of the target’s services." DEV-1084 used Group Policy Objects (GPO) and a scheduled task to facilitate the spread of their ransomware payload.