Iranian state-sponsored actors are leaving no stone unturned to exploit unpatched systems running Log4j to target Israeli entities, indicating the vulnerability’s long tail for remediation.
Microsoft attributed the latest set of activities to the umbrella threat group tracked as MuddyWater (aka Cobalt Ulster, Mercury, Seedworm, or Static Kitten), which is linked to the Iranian intelligence apparatus, the Ministry of Intelligence and Security (MOIS).
The attacks are notable for using SysAid Server instances unsecured against the Log4Shell flaw as a vector for initial access, marking a departure from the actors’ pattern of leveraging VMware applications for breaching target environments.
“After gaining access, Mercury establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack,” Microsoft said.
The tech giant’s threat intelligence team said it observed the attacks between July 23 and 25, 2022.
A successful compromise is said to have been followed by the deployment of web shells to execute commands that permit the actor to conduct reconnaissance, establish persistence, steal credentials, and facilitate lateral movement.
Also employed for command-and-control (C2) communication during intrusions is a remote monitoring and management software called eHorus and Ligolo, a reverse-tunneling tool of choice for the adversary.
The findings come as the U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) deemed the critical vulnerability in the open-source Java-based logging framework an endemic weakness that will continue to plague organizations for years to come as exploitation evolves.
Log4j’s wide usage across many suppliers’ software and services means sophisticated adversaries like nation-state actors and commodity operators alike have opportunistically taken advantage of the vulnerability to mount a smorgasbord of attacks.
The Log4Shell attacks also follow a recent report from Mandiant that detailed an espionage campaign aimed at Israeli shipping, government, energy, and healthcare organizations by a likely Iranian hacking group dubbed UNC3890.