Threat actors continue to use Log4Shell, one of the biggest and perhaps most dangerous vulnerabilities ever found, more than six months after it was initially identified and patched.
The recently identified threat actors known as MERCURY (also known as MuddyWater) have been using Log4Shell against enterprises that are all situated in Israel, according to a new analysis from the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team. Iran's Ministry of Intelligence and Security is considered to be directly in charge of the threat actor known as Mercury, a state-sponsored threat actor operating out of Iran.
According to the teams, while MERCURY has previously exploited Log4j 2 exploits, such as on weak VMware apps, we have not seen this actor employ SysAid apps as a route for initial access until now. The criminals' use of the flaw on SysAid applications is a somewhat innovative strategy.
demonstrating persistence and data theft
The group drops web shells that let them to run a number of commands and uses Lof4Shell to obtain access to the target endpoints. One can obtain more hacking tools even if the most of them are for reconnaissance.
According to Microsoft, MERCURY builds persistence, dumps credentials, and moves lateral across the target network after utilising Log4Shell to acquire access to target endpoints(opens in new tab).
The compromised system receives a new admin account, and leveraged software is added to the startup folders and ASEP registry keys to ensure persistence even after a reboot.
Microsoft advises adopting a variety of security measures to reduce the threat posed by MERCURY, including determining whether the company utilises SysAid and installing security updates and fixes, when available.
Additionally, organisations must prevent incoming traffic from the IP addresses listed in the table of indicators of compromise, which can be found here (opens in new tab). IT teams should evaluate all authentication activity for remote access infrastructure, with a particular emphasis on accounts set up for single-factor authentication. Finally, it's imperative to implement multi-factor authentication (MFA) whenever possible.
These are the top firewalls available today (opens in new tab).