Iranian threat MuddyWaters is phishing

Mar 26 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that has cybercriminals running for the hills or the private jet to Antigua like Puff Daddyย P. Diddyย Diddy P. Dophile #FIFY ๐Ÿ™ˆ๐Ÿคฎ๐Ÿ’€

ย Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿช Iranian threat MuddyWaters is phishing w/ Atera for surveillance

  • ๐Ÿ’ป Mac users beware! GoFetch vulnerability could leak secret codes ๐Ÿ”“

  • ๐Ÿค– Top-gg and others affected by Github hijack via supply chain attack โ›“๏ธ

This cyberattack is sure to give you the bluesโ€ฆ #MuddyWaters ๐ŸŽธ๐Ÿ˜๐Ÿ’€

๐Ÿšจ New Phishing Campaign: MuddyWater Targets Israeli Entities with Atera ๐ŸŽฏ

Recent intelligence reveals that the Iran-affiliated threat actor known as MuddyWater has launched a phishing campaign in March 2024, aiming to deploy the legitimate Remote Monitoring and Management (RMM) solution called Atera. ๐ŸŽฃ

๐Ÿ“… March Campaign: Spanning from March 7 through the week of March 11, MuddyWater's activity targeted Israeli entities across global manufacturing, technology, and information security sectors, according to Proofpoint.

๐Ÿ’Œ Phishing Tactics: MuddyWater sent emails with PDF attachments containing malicious links, showcasing a shift towards embedding links directly in email message bodies instead of using PDF attachments.

๐Ÿ”— Attack Chains: The phishing messages include links to files hosted on file-sharing sites like Egnyte, Onehub, Sync, and TeraBox. Clicking on the link leads to a ZIP archive containing an MSI installer file that instals the Atera Agent on compromised systems.

๐Ÿ›ก๏ธ Legitimate Tools: MuddyWater's reliance on legitimate remote desktop software aligns with its strategic goals, having previously utilised tools like ScreenConnect, RemoteUtilities, Syncro, and SimpleHelp.

โš ๏ธ Growing Risks: The shift in tactics coincides with Iranian hacktivist group Lord Nemesis targeting the Israeli academic sector through a software supply chain attack on Rashim Software. The breach highlights the significant risks posed by third-party vendors and the growing threat of nation-state actors targeting smaller companies.

๐ŸŒ Cybersecurity Concerns: This incident underscores the need for robust security measures, including multi-factor authentication (MFA), to mitigate the risks posed by supply chain attacks and nation-state adversaries. Vigilance and proactive security measures are essential to safeguard against evolving threats in the cyber landscape. ๐Ÿ›ก๏ธ๐Ÿ”’

Get smarter about protecting your S3 data

With rising costs for Amazon S3 storage and potentially devastating business consequences from data loss, you need a holistic approach to cutting unnecessary spending and guarding against risks. Lawrence Miller, a consultant to multinational corporations who holds numerous networking certifications, has authored a concise volume that lays out the path to success in managing backup and compliance for S3 data lakes.

And why hasnโ€™t Apple patched it since it was discovered in December? GoFigure ๐Ÿ˜‚

๐Ÿšจ New(ish) Apple Chip Vulnerability: GoFetch ๐Ÿ”’

Security researchers have uncovered a critical vulnerability in Apple M-series chips called GoFetch, which could allow threat actors to extract secret keys used during cryptographic operations. ๐Ÿ Apple has known about the threat since December.

๐Ÿ’ฅ Microarchitectural Side-Channel Attack: GoFetch leverages a feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and capture sensitive data from the CPU cache. Prefetchers predict memory access patterns to reduce latency.

๐Ÿ” How It Works: DMP prefetches data from memory based on observed access patterns, making it susceptible to cache-based attacks that reveal contents associated with a victim process. GoFetch exploits this behaviour to leak sensitive data speculatively.

๐Ÿ‘ฅ Attack Scenario: The attacker and victim must be co-located on the same CPU cluster. The threat actor could trick the victim into downloading a malicious app that exploits GoFetch. Even if the victim follows the constant-time programming paradigm, DMP generates secret-dependent memory access on the victim's behalf.

๐Ÿšจ Implications: GoFetch nullifies security protections offered by constant-time programming against timing side-channel attacks, presenting serious security risks. Existing Apple CPUs cannot be fixed, necessitating preventive measures by cryptographic library developers and system updates for users.

๐Ÿ”ง Mitigation: Enabling data-independent timing (DIT) on Apple M3 chips disables DMP. However, this is not possible on M1 and M2 processors. Developers are advised to avoid conditional branches and memory access locations based on secret data. Users should keep systems up-to-date.

๐Ÿž๏ธ Cybersecurity Landscape: Meanwhile, researchers have demonstrated a GPU cache side-channel attack affecting browsers and graphics cards, enabling inference of sensitive information like passwords via specially crafted JavaScript code. Countermeasures include requiring user permission for GPU access in browsers. ๐Ÿ›ก๏ธ๐Ÿ”‘

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

๐Ÿƒย The Motley Fool: โ€œFool me once, shame on โ€” shame on you. Fool me โ€” you can't get fooled again.โ€ Good olโ€™ George Dubya ๐Ÿ˜‚ Let us tell whoโ€™s not fooling around though; thatโ€™s the Crรผe ๐Ÿ‘€ at Motley Fool. Youโ€™d be a fool (alright, enough already! ๐Ÿ™ˆ) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ๐Ÿ› Kidding aside, if you check out their website theyโ€™ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ๐Ÿค‘ย (LINK)

๐Ÿšตย Wander: Find your happy place. Cue Happy Gilmore flashback ๐ŸŒ๏ธโ›ณ๐ŸŒˆ๐Ÿ•Š๏ธ Mmmm Happy Placeโ€ฆ ๐Ÿ˜‡ So, weโ€™ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, itโ€™s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ๐Ÿž๏ธ๐Ÿ˜ย (LINK)

๐ŸŒŠย Digital Ocean: If you build it they will come. Nope, weโ€™re not talking about a baseball field for ghosts โšพ๐Ÿ‘ป๐Ÿฟ (Great movie, to be fair ๐Ÿ™ˆ). This is the Digital Ocean whoโ€™ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website youโ€™ll find yourself catching the buzz even if you canโ€™t code (guilty ๐Ÿ˜‘). But if you can and youโ€™re looking for somewhere to test things out or launch something new or simply enhance what youโ€™ve got, weโ€™d recommend checking out their services foโ€™ sho ๐Ÿ˜‰ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ๐ŸŒฟย (LINK)

This attackโ€™s got Andrew Tate sweating #TopG ๐Ÿ™ˆ๐Ÿ˜ฌ๐Ÿ˜‚

๐Ÿšจ Sophisticated Supply Chain Attack Hits on GitHub ๐Ÿ”’

A complex attack campaign has targeted individual developers and the GitHub organisation account associated with, a Discord bot discovery site, according to Checkmarx.

๐Ÿ›ก๏ธ Multiple Tactics Deployed: The adversaries used various tactics, including account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing tainted packages to the PyPI registry.

๐Ÿ’ผ Impact: Sensitive information, including passwords and credentials, was stolen. Malicious versions of well-known packages like Colorama were hosted on a typosquatted domain "files.pypihosted[.]org."

๐Ÿ“ฆ Propagation: Rogue packages were spread via GitHub repositories containing a requirements.txt file. The malicious Colorama was inserted within these repositories, leading to the compromise of multiple systems.

โš ๏ธ GitHub Account Hijack: The verified GitHub account "editor-syntax" associated with's python-sdk was hijacked, allowing the threat actor to make malicious commits. This account takeover was facilitated through stolen cookies.

๐Ÿ” Ongoing Threat: The attackers pushed multiple changes to rogue repositories, concealing alterations to the requirements.txt file. The campaign, dating back to November 2022, exploited trust in the open-source package ecosystem.

๐Ÿšจ Malware Payload: The counterfeit Colorama package activates a multi-stage infection sequence, stealing data such as Discord tokens and crypto wallets. Captured data is transferred to the attackers via anonymous file-sharing services.

๐Ÿ”’ Mitigation: Vigilance is crucial when installing packages and repositories, even from trusted sources. Thoroughly vet dependencies, monitor for suspicious network activity, and maintain robust security practices to mitigate risks.

๐Ÿ”„ Update: The repository "github[.]com/whiteblackgang12/Discord-Token-Generator" is now inaccessible on GitHub, indicating a response to the attack.

This incident underscores the need for heightened security measures in the software supply chain and serves as a reminder to remain vigilant against evolving threats. ๐Ÿ›ก๏ธ๐Ÿ”‘

๐Ÿ—ž๏ธ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think!

So long and thanks for reading all the phish!


Recent articles