An Iran-linked state-sponsored hacker group has been leveraging Log4j (Log4Shell) vulnerabilities in SysAid software in attacks targeting organizations in Israel.
Although the Log4Shell vulnerability was discovered and patched nearly ten months ago, in December 2021, many software products are still remain vulnerable, one of them SysAid, an online automated IT support and management software solution.
According to a new security alert from Microsoft, the threat actor the company tracks as MERCURY (also known as MuddyWater) believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS) has used Log4j 2 exploits on vulnerable SysAid Server instances, which is a relatively novel approach.
“While MERCURY has used Log4j 2 exploits in the past, such as on vulnerable VMware apps, we have not seen this actor using SysAid apps as a vector for initial access until now,” Microsoft notes.
The exploitation of SysAid allows the threat actor to drop and leverage web shells to execute commands, most of them related to reconnaissance, but one downloads more hacking tools.
Once gaining access, the hackers establish persistence, dump credentials, and move laterally within the targeted organization using both custom and well-known hacking tools (such as Venom proxy tool, Ligolo reverse tunneling, and home-grown PowerShell programs), as well as built-in operating system tools for its hands-on-keyboard attack, Microsoft says.
The threat actor establishes a new admin account to the compromised system, and adds leveraged software in the startup folders and ASEP registry keys, to ensure persistence even after reboot.
The researchers said they have also observed MuddyWater using its foothold to compromise other devices within the target organizations by leveraging Windows Management Instrumentation (WMI) to launch commands on devices within organizations, and remote services (leveraging RemCom tool) to run encoded PowerShell commands within organizations.