Log4Shell, one of the largest and potentially most devastating vulnerabilities to ever be discovered, is still being leveraged by threat actors more than half a year after it was first observed, and patched.
A new report from the Microsoft Threat Intelligence Center (MSTIC), and Microsoft 365 Defender Research Team said recently discovered threat actors known as MERCURY (also known as MuddyWater) have been leveraging Log4Shell against organizations all located in Israel. MERCURY is believed to be a state-sponsored threat actor from Iran, under the direct command of the Iranian Ministry of Intelligence and Security.
The criminals used the flaw on SysAid applications, which is a relatively novel approach, the teams said: “While MERCURY has used Log4j 2 exploits in the past, such as on vulnerable VMware apps, we have not seen this actor using SysAid apps as a vector for initial access until now.”
Establishing persistence, stealing data
The group uses Lof4Shell to gain access to target endpoints, and drop web shells that give them the ability to execute several commands. Most of them are for reconnaissance, but one downloads more hacking tools.
After using Log4Shell to gain access to target endpoints (opens in new tab), MERCURY establishes persistence, dumps credentials, and moves laterally across the target network, Microsoft says.
It adds a new admin account to the compromised system, and adds leveraged software (opens in new tab) in the startup folders and ASEP registry keys, to ensure persistence even after reboot.
To mitigate the threat of MERCURY, Microsoft recommends adopting a number of security considerations, including checking to see if the organization uses SysAid and applying security patches (opens in new tab) and updates, if available.
Organizations should also block inbound traffic from IP addresses specified in the indicators of compromise table, found here (opens in new tab). All authentication activity for remote access infrastructure should be reviewed, with IT teams focusing mostly on accounts configured with single-factor authentication. Finally, multi-factor authentication (MFA) needs to be enabled wherever possible.