The U.S. and British authorities have issued a warning about a spy group attacking targets worldwide through zip files. The group is called MuddyWater and is affiliated with Iranian intelligence, according to the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Cyber Command Cyber National Mission Force (CNMF) and the British National Cyber Security Center (NCSC).
The group has targeted public and private organizations in various sectors, including telecom, defence, oil and gas, in Africa, Asia, Europe and North America. To attack these organizations, the group uses known vulnerabilities in Microsoft Exchange and spear phishing, among other things. In these targeted phishing traps, the group sends zip files. The zip files contain an Excel document containing a malicious macro that, when enabled by the user, installs malware, or a pdf document that attempts to install malware.
To counter attack by the group, US and UK authorities recommend the use of application control software to limit which applications and code users can run. “Email attachments and files downloaded via links in emails often contain executable code,” the warning said. That’s why organizations are also enabled to completely disable hyperlinks in email and banner external emails.
Organizations are also advised to train users and limit the use of management rights. “Users who browse the internet, use email, and execute code with administrative privileges are a significant target for spear phishing, as their system, once infected, allows attackers to move laterally through the network, providing additional access, and accessing highly sensitive information,” the alert said. The FBI, CISA, CNMF and the NCSC also provide various indicators of compromise in the observation whereby organizations can detect the malware within their networks.