The flag of Iran is seen in front of the building of the International Atomic Energy Agency (IAEA) Headquarters on May 24, 2021, in Vienna. A hacking group linked to the Iranian government has been exploiting Log4J 2 vulnerabilities in SysAid, a set of popular IT support and management software applications, according to Microsoft. (Photo by Michael Gruber/Getty Images)A hacking group linked to the Iranian government has been exploiting Log4j 2 vulnerabilities in SysAid, a set of popular IT support and management software applications, according to Microsoft.The company’s threat intelligence center and other components asserted with “moderate confidence” this week that the group, which they call MERCURY (also known as MuddyWater), has been exploiting Log4j vulnerabilities in SysAid servers that are running the vulnerable code. Both Microsoft and the U.S. government have identified the group as affiliated with the Iranian Ministry of Intelligence, and the organizations targeted were all located in Israel, a top geopolitical foe of the Islamic Republic.Microsoft, which receives telemetry from billions of endpoints and other assets across its vast customer base, observed the group breaking into SysAid applications on July 23 and 25 of this year. They believe the compromises were used to gain initial access to victim environments, but the company appears to be inferring from that data that the Apache vulnerabilities, which allows for remote code execution, were being leveraged.
“Based on observations from past campaigns and vulnerabilities found in target environments, Microsoft assess that the exploits used were most likely related to Log4j 2,” Microsoft wrote. “The threat actor leveraged Log4j 2 exploits against VMware applications earlier in 2022 and likely looked for similarly vulnerable internet-facing apps. SysAid, which provides IT management tools, might have presented as an attractive target for its presence in the targeted country.”Source: MicrosoftThe actors used that access to drop webshells and conduct a number of reconnaissance based activities. In other cases, the access was used to download the group’s preferred tools to conduct lateral movement or establish a persistent presence within victim networks. That includes stealing user credentials, escalating to administrator privileges and adding malware to startup folders to ensure access even if the victim reboots.MuddyWater is viewed by many threat intelligence organizations and U.S. government agencies like Cyber Command as Iran’s top cyberespionage group, with a heavy presence in Middle Eastern countries as well as Europe and North America. Earlier this year, CyberCom began publishing some of the group’s open source tools on VirusTotal in an effort to raise detection rates, a list they have updated as recently this past month.According to a joint alert put out by the U.S. and UK governments in February, the hacking group is “known to exploit publicly reported vulnerabilities” like Log4j and has also targeted public sector organizations and critical infrastructure across the globe, including the telecommunications, defense, and oil and gas sectors as well as local governments.SysAid rolled out patches for the vulnerability in their cloud and on-premise products in January. Microsoft is advising organizations that use SysAid to ensure they have the most up to date versions of the software, review authentication logs for remote access infrastructure and upgrade to multifactor authentication where possible. The blog also includes 14 separate indicators of compromise for organizations to leverage for detection.Indicators of compromise for MERCURY/MuddyWater hacking group. (Source: Microsoft)
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.
Newly emergent artificial intelligence-based presentation tool Gamma has been exploited in multi-stage phishing attacks involving redirections to fake Microsoft login pages, reports The Hacker News.
Organizations across Europe are having their Windows systems compromised with the BRICKSTORM backdoor linked to Chinese state-backed threat operation UNC5221 as part of a cyberespionage campaign that commenced three years ago, Infosecurity Magazine reports.
Novel BPFDoor backdoor component facilitates covert attacks Attacks involving a novel controller linked to the BPFDoor malware have been launched by the Earth Bluecrow threat operation, also known as Red Menshen, DecisiveArchitect, and Red Dev 18, against the Linux systems of telecommunications, finance, and retail organizations in Hong Kong, South Korea, Malaysia, Mynanmar, and Egypt last year, according to The Hacker News.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news