Rewterz Threat Advisory – CVE-2021-23876 – McAfee Total Protection privilege escalation
February 12, 2021Rewterz Threat Advisory – Apache Thrift denial of service
February 15, 2021Rewterz Threat Advisory – CVE-2021-23876 – McAfee Total Protection privilege escalation
February 12, 2021Rewterz Threat Advisory – Apache Thrift denial of service
February 15, 2021Severity
High
Analysis Summary
The Iranian APT MuddyWater is targeting multiple Arabic-speaking countries. The APT exploits 2 lures: a report on relations between Arab countries and Israel, or a file on scholarships. These two lure ZIP files are being used by the threat actor to trick users into downloading malware. URLs distributed through these phishing emails direct recipients to the intended file storage location on Onehub. The attack commences by directing users to a downloader URL pointing to these ZIP files via a phishing email. This, when opened, launches the installation process for ScreenConnect, and subsequently uses it to communicate with the adversary. The URLs themselves are distributed through decoy documents embedded in the emails.
The campaign was detected targeting government agencies in the United Arab Emirates (UAE) and likely the broader Middle East. The campaign is linked to the Iran-nexus cyberespionage group Static Kitten, due to Israeli geopolitical-themed lures, Ministry of Foreign Affairs (MOFA) references, and the use of file-storage service Onehub that was attributed to their previous campaign known as Operation Quicksand. The objective of this activity is to install a remote management tool called ScreenConnect (acquired by ConnectWise 2015) with unique launch parameters that have custom properties. Malicious executables and URLs used in this campaign are masquerading as the Ministry of Foreign Affairs (MOFA) of Kuwait (mofa.gov[.]kw).
Impact
- Unauthorized Remote Access
- Data Exfiltration
Indicators of Compromise
Domain Name
- instance-uwct38-relay[.]screenconnect[.]com
- instance-sy9at2-relay[.]screenconnect[.]com
MD5
- 2cd569dafe4f537150f0416b021c30ab
- e8e84ac1ae83a45c260df146e97cb1cb
- a8fce1e8e89053e143b5431cfa5209cb
- b9cff91be734e2a071d3b0fc07dc8386
- 960594cbdf938bcb03bd0637843d9154
SHA-256
- 31a35e3b87a7f81449d6f3e195dc0660b5dae4ac5b7cd9a65a449526e8fb7535
- 3e4e179a7a6718eedf36608bd7130b62a5a464ac301a211c3c8e37c7e4b0b32b
- 5bfb635c43eb73f25f4e75961a715b96fa764bbe096086fc1e037a7869c7878b
- 77505dcec5d67cc0f6eb841f50da7e7c41a69419d50dc6ce17fffc48387452e1
- b2f429efdb1801892ec8a2bcdd00a44d6ee31df04721482a1927fc6df554cdcf
SHA1
- 3cf40758a15faf5037a7fcb6c8d6c322ec54dfc1
- c58370b4114d4d493e141a66cd1484573ccf02b5
- 707c251833db0fb7c17c79413ddaebcb54cdb0fc
- 116646a11967c1eed0e6072150b8d581bcf8d6a5
- f228e772a31b4fc160cb59cf5627224613f10941
URL
- https[:]//ws[.]onehub[.]com/files/7w1372el
- https[:]//ws[.]onehub[.]com/files/94otjyvd
- https[:]//ws[.]onehub[.]com/files/mz8ok6gf
- https[:]//ws[.]onehub[.]com/files/wrz117le
- https[:]//ws[.]onehub[.]com/files/2b2nwhmh
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.
- Do not click on URLs given in untrusted emails.