Free Access
Blog

Iranian Threat Actor MERCURY Exploits Log4j 2 Vulnerabilities in Unpatched Systems

This image is about MERCURY exploiting Log4j 2 vulnerabilities.

The Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team found that Iran-based threat actor MERCURY exploited Log4j 2 vulnerabilities in SysAid applications. The threat actor targets organizations that are all based in Israel.

After gaining access, MERCURY maintains persistence, flushes credentials, and moves laterally within the targeted organization using both proprietary and well-known hacking tools and embedded operating system tools for a hands-on keyboard attack.

Microsoft assessed that MERCURY exploited remote code execution vulnerabilities in Apache Log4j 2 in vulnerable SysAid Server instances where targets are running.

According to US Cyber Command, MuddyWater, a group tracked as MERCURY, “is a subordinate element within the Iranian Ministry of Intelligence and Security.”

MERCURY was observed to exploit vulnerabilities against vulnerable SysAid Server instances as the initial access vector.

Based on observations, Microsoft says the exploits are most likely related to Log4j 2. The threat actor exploited Log4j 2 vulnerabilities against VMware applications in early 2022.

mercury-attack-chain
MERCURY Attack Chain

SysAid many organizations use it as an IT management tool, service desk and help desk solution. For this reason, it is a very good first access vector.

Successfully exploiting SysAid allows the threat actor to drop and use webshells to execute various commands. Adds a user, elevates their privileges to a local administrator, and then adds attack tools to their startup folders to ensure persistence across reboots.

It has been observed that MERCURY is using its foothold more and more to compromise other devices in target organizations by leveraging a variety of methods. These methods are remote services (using the RemCom tool) to use Windows Management Tools (WMI) to start commands on devices in organizations and run coded PowerShell commands in organizations.

In the attack, the threat actor used embedded operating system tools such as PowerShell to communicate with the command and control (C2) server, a tunneling tool called vpnui.exe, a unique version of the open source tool Ligolo, and remote monitoring and management software eHorus.

Be sure to check if you’re within the targeting scope of the group by reviewing the report.

References:

https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/

More posts

This image is about monthly vulnerabilities for September 2024.
Peek into Monthly Vulnerabilities: September 2024
October 9, 2024
This image is about the ServiceNow data leak.
ServiceNow Data Leak: Risks of Misconfigured Knowledge Bases
September 18, 2024
This image is about monthly vulnerabilities for July 2024.
Peek into Monthly Vulnerabilities: July 2024
August 12, 2024
This image is about cyber strategies for the Paris Olympics 2024.
Securing the Games: Cyber Strategies for Paris Olympics 2024
August 9, 2024
This image is about Russian influence operations targeting the Paris Olympics 2024.
Hunter’s Lens: Russian Influence Operations Targeting the Paris Olympics 2024
August 2, 2024
View All
advanced divider

Share this article

Found it interesting? Don’t hesitate to share it to wow your friends or colleagues
advanced divider
Subscribe to our blog newsletter to follow the latest posts
Stay informed with the latest updates, expert insights, and in-depth analysis from ThreatMon’s cybersecurity intelligence. Subscribe to receive critical news, threat reports, and industry trends directly in your inbox, helping you stay ahead of emerging cyber threats.

Platform

Subscriptions

Solutions

Resources

Partner

Company

© 2024 ThreatMon. All rights reserved.
X-twitter Linkedin-in Github