MuddyWater APT Exploits Log4j

Industry: Telecommunication | Level: Tactical | Source: Microsoft

Iranian threat group MuddyWater, has been discovered exploiting the Log4Shell vulnerability (CVE-2021-44228) against Israeli organizations. Recently the group has displayed an interest in telecommunication organizations located in the Middle East and Asia. MuddyWater has also been observed by Microsoft to be exploiting the Log4Shell vulnerability in unpatched SysAid Server instances to drop web shells. With a means to execute commands on the system, the threat actors collected system information using cmd.exe, net.exe, and encoded PowerShell commands. Once the target has been profiled, MuddyWater operators established persistence in autorun registry with a new user account. Using Mimikatz, the threat actors collect credentials to  facilitate lateral movement objectives. Tools used for lateral movement included RDP and Windows Management Instrumentation (WMI).

Anvilogic Scenario:

• MuddyWater - Attack Recon, Credential Theft & Lateral Movement

Anvilogic Use Cases:

• Potential CVE-2021-44228 - Log4Shell
• New AutoRun Registry Key
• Tunneling Process Created

‍