Ads 468x60px

Featured Posts

23 November 2020

MuddyWater Threat Actor

I wrote about the Lazarus Group and Lazarus targeting banks because we analysed alarms about this threat actor last month in the Ariolo SIEM. However, we have also analysed another threat actor last weeks. MuddyWater is one of the most active Iranian APTs, that has been active since 2017, targeting Middle Eastern and Asian countries but also United States and some European countries. We have also seen alarms about this threat actor in the Ariolo SIEM. The attacks detected were not successful, therefore, they were not dangerous. However, reading about MuddyWater is worth while.

MuddyWater Alarm

The initial wave of attacks was the PowerStats era where MuddyWater used Office documents which activated malicious macros that communicate with hacked C&C. The second wave used the DNS tunneling technique and they used the same Office documents, but instead of connecting to a hacked server, the group performed DNS queries to self-owned server. Finally, the third wave is a new attack campaign, characterized by generating executables that unload two main files to the machine: a legitimate PDF and a malicious DLL. It is thought that the purpose of the campaign is intelligence gathering, destruction, or a combination of both.

An Excel file containing a malicious macro

I think it’s interesting to know the post-exploitation tools used by MuddyWater. I knew some of them such as Meterpreter or Mimikatz, but there are post-exploitation tools I didn’t know. For instance, I didn’t know the LaZagne project which can be used to retrieve lots of passwords stored on a local computer such as passwords stored on browsers, chats, databases, etc. Another post-exploitation tool I didn’t know is Koadic, which is similar to Meterpreter and Powershell Empire, but the major difference is that Koadic does most of its operations using Windows Script Host. All post-exploitation tools used by MuddyWater are worth having a look.

Tools used by MuddyWater campaigns over the years

MuddyWater campaigns also uses false flags, which are messages that threat actors add into their programs to misattribute the campaign to a specific country. For instance, Chinese and Russian strings have been found in some PowerShell samples. User names such as poopak, leo, Turk and Vendetta have also been found inside weaponized word documents. All of these false flags are distraction techniques used by MuddyWater.

Several older backdoors contained simplified Chinese texts

MuddyWater victims used to communicating directly to IP addresses as C&C servers. They compromised WordPress websites as proxies to send commands that were forwarder to the final C&C servers. In addition, these C&C servers were usually set up to listen to an uncommon port, and were shut down a few hours later. The next time the servers were up, they usually listened on a different port. However, they now use DNS tunneling, as a result, instead of communicating directly to compromised WordPress, they communicate to self-owned server.

Communication flow between the operator and the victim

Thanks my friends!! Have you ever heard about MuddyWater? Neither do I.

16 November 2020


When we have lots of BIG-IP devices and there are lots of applications, it’s really difficult to remember where applications, IP addresses, SSL certificates, etc have been configured. It’s also really difficult to look for nodes, pools, iRules, etc when we have lots of applications and BIG-IP devices. In addition, when we are going to manage lots of devices and the deployment velocity of all application services should be quick, as well as, we need visibility of device health, services health and network traffic, F5 BIG-IQ deployment is mandatory.

BIG-IQ is an useful device which help us to look for applications, IP addresses, iRules, etc. It’s really useful to look for any object when you have a large deyployment and you don’t know where that object has been configured. I think it’s also really useful for visibility because we can know how much transactions per second (TPS) or throughput has the applications. What’s more, BIG-IQ can be used for many other things such as a centralized certificate management or centralized backup repository. Therefore, from my point of view, we should deploy a BIG-IQ when we have a large deployment of applications.

BIG-IQ Analytics and Visibility

The BIG-IQ architecture has mainly two components. The BIG-IQ Central Manager (CM) and the BIG-IQ Data Collector Device (DCD). The first one is a web console where we are going to manage all BIG-IP devices from. It delivers analytics, visibility and reporting. In addition, the Central Manager automates BIG-IP deployments and configurations. However, the second one collects alerts, events and statistical data from managed BIG-IPs using Elasticsearch. Therefore, the BIG-IP devices send alerts, events and statistical data to the DCD, and this information is displayed in the BIG-IQ Console.

BIG-IQ Components and System Architecture

The BIG-IQ Central Manager has improved a lot with the latest version. We can deploy applications easily from BIG-IQ to BIG-IP devices in a private cloud or on-premise. It’s also really interesting how we can manage Let’s Encrypt SSL Certificate from BIG-IQ, which is really useful for the DevOps crowd because these certificates are free and the interface is programmatic. As a result, BIG-IQ can handle certificate creation and renewal. In addition, BIG-IQ Automation can be used as a self service application portal with application templates and autoscale policies. Therefore, lots of new features and lots of new improvements.

Analytics for BIG-IQ Applications

From my point of view, one of the most interesting feature is analytics. We can configure TCP Analytics profiles and HTTP Analytics profiles in the BIG-IP, which are attached to Virtual Servers. These profiles can collect metrics such as TPS and throughput, page load times, HTTP methods, etc. These metrics are really useful for troubleshooting when applications are slow and it’s also useful to know how much traffic is using each application. However, F5 AVR (Application Visibility and Reporting) must be deployed in BIG-IP devices. It’s mandatory. The AVR module send statistical data to the DCD device and this analytics is displayed in the BIG-IQ console.

TCP Analytics

Thanks my friends!! Have you ever deployed and configured BIG-IQ in your infrastructure?

Related Posts Plugin for WordPress, Blogger...

Entradas populares