HQ/EMEAFind out how we can help your business
The emerging threat entity, DEV-1084 group, has executed destructive cybercriminal campaigns in the hybrid environment. Based on reports, the new group might be a partner of the notorious Iran-based cybercriminal group called MuddyWater.
This Iran-based state-sponsored APT group is well-known for targeting on-premises and cloud landscapes. On the other hand, the ongoing attacks of the DEV-1084 group pretend to be a ransomware campaign to execute a data-wiping operation.
DEV-1084 group only wants to wipe the resources of its targets.
According to an investigation, the joint campaign of the DEV-1084 group and MuddyWater shows they are executing a ransomware attack. However, the primary objective of their operations is to wipe out the resources of their targeted systems.
The MuddyWater group acquires initial access via flaw exploitation in outdated apps such as Log4j 2. The group will then transfer this initial access to DEV-1084 to run additional prompts.
In addition, DEV-1084 runs extensive actions, such as surveillance, establishing persistence, and lateral movement across the compromised network for several months. Subsequently, the group abuses the stolen credentials from high-privilege accounts during the discovery phase for the next stage of the attacks.
The group also encrypts all the on-premises devices and wipes all accessible cloud-based resources, such as storage accounts, virtual networks, server farms, and virtual machines.
Furthermore, the campaign accesses the email inboxes through the Exchange Web Services and utilises it to distribute spam emails to other employees and outside contacts.
The operation could execute additional cybercriminal activities, such as installing web shells and remote access tools, adding new user accounts, escalating privileges, and stealing credentials.
Cybersecurity experts explained that the MuddyWater threat group is a massive cybercriminal organisation. Hence, the joint operation with DEV-1084 could soon cause a more disruptive attack on any targeted organisation.
These claims could materialise once both groups share their pool of infrastructures and resources. Lastly, both groups could work together without a problem since DEV-1084 specialises in espionage attacks and is not a financially motivated threat entity.
Experts suggest they should have an in-depth defence strategy with a reliable incident response plant to defend against these threats.
