Microsoft has warned that an Iranian state-based threat actor it calls Mercury is using the Log4Shell flaws in applications from IT vendor SysAid against organizations located in Israel.
Microsoft’s nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC), has assessed with “high confidence” that the campaign is affiliated with Iran’s Ministry of Intelligence and Security (MOIS). US Cyber Command tracks the group as MuddyWater, which it assesses is a “subordinate element” of MOIS.
Targeting SysAid apps is a new approach for Mercury, which in the past has used Log4Shell remote code execution flaws in VMware apps to carry out attacks.
SysAid is an IT services management firm founded in Israel. The company rolled out Log4j patches for its cloud and on-premises products in January, shortly after the Apache Software Foundation disclosed the bugs in the Log4J Java app logging library on December 9.
“In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel,” Microsoft warned.
Microsoft observed the group using what were “most likely” Log4Shell exploits between July 23 and 25 against SysAid Server instances exposed to the internet. The campaign is occurring to the backdrop of US, Iran and Israel negotiating a new nuclear deal.
“After gaining access, MERCURY establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack,” Microsoft explained.
The group is dropping and using web shells to execute commands related to reconnaissance, lateral movement and persistence. It’s also using the open-source pen-testing tool Mimikatz to dump and steal credentials, as well as dumping credentials in SQL servers to steal high-privilege service accounts.
While the threat appears to be targeted exclusively at organizations based in Israel, Microsoft is urging all organizations to check whether SysAid is present on the network and apply the firm’s patches for the Log4j flaws.
Previously, US Cyber Command has found MOIS using known vulnerabilities to carry out attacks. Throughout 2021, Iranian threat actors were using flaws in Fortinet gear and the Microsoft Exchange Server ProxyShell bugs to gain initial access in targets.
The US Cyber Safety Review Board (CSRB), in July deemed Log4Shell an “endemic” vulnerability that it expects to affect systems until at least 2032. Part of Log4Shell’s problem was that the Log4j component is used in so many different applications, and discovering which of them are affected remains a challenge. The Cybersecurity and Infrastructure Security Agency (CISA) estimated hundreds of millions of internet-facing devices were vulnerable to Log4Shell.
Microsoft recommends that security teams review all authentication activity for remote access infrastructure and focus on accounts configured that have not been protected with multi-factor authentication (MFA). It also recommends that organizations enable MFA.