Iran-linked Mercury APT exploited Log4Shell in SysAid Apps for initial access

An Iran-linked Mercury APT group exploited the Log4Shell vulnerability in SysAid applications for initial access to the targeted organizations.

The Log4Shell flaw (CVE-2021-44228) made the headlines in December after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability (aka Log4Shell) that affects the Apache Log4j Java-based logging library.

The flaw can be exploited for remote code execution and it has been leveraged by both profit-driven cybercriminals and state-sponsored cyberspies.

Log4Shell impacts the products of several major companies that use Log4j, but in many attacks, the vulnerability has been exploited against affected VMware software.

Now researchers from Microsoft, reported that Iran-linked APT tracked as Mercury (aka  MuddyWater, Static Kitten, Seedworm, TEMP.Zagros) has exploited the flaw against vulnerable SysAid apps used by Israeli organizations. The APT group was officially linked by the US government to Iran’s Ministry of Intelligence and Security.

MERCURY has already exploited the Log4j 2 in past attacks, for example, targeting vulnerable VMware apps, but this is the first time the group has used SysAid apps as a vector for initial access. 

“In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel.” reads the report published by Microsoft. “The threat actor leveraged Log4j 2 exploits against VMware applications earlier in 2022 and likely looked for similarly vulnerable internet-facing apps. SysAid, which provides IT management tools, might have presented as an attractive target for its presence in the targeted country.”

Despite SysAid has addressed the Log4Shell vulnerability shortly after its disclosure, several organizations have yet to apply the patches released by the company.

Once gained a foothold in the target network, the threat actors establish persistence, dump credentials, and move laterally within the targeted organization. The group has used both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack.

The threat actor used different methods to communicate with their C2 server, including built-in operating system tools such as PowerShell, a tunneling tool called vpnui.exe, a unique version of the open-source tool Ligolo, and a remote monitoring and management software called eHorus.

Microsoft shared a list of Inficators of Compromise (IOCs) observed during its investigation.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Log4Shell)

[adrotate banner=”5″]

[adrotate banner=”13″]