Iran-based menace actor MuddyWater (tracked by Microsoft as MERCURY) has been leveraging the exploitation of Log4j 2 vulnerabilities in SysAid functions to focus on organizations in Israel.
The information comes from a brand new advisory from Microsoft’s safety researchers, who stated on Thursday they might assess with excessive confidence that MERCURY’s noticed exercise was affiliated with Iran’s Ministry of Intelligence and Safety (MOIS).
“On July 23 and 25, 2022, MERCURY was noticed utilizing exploits towards weak SysAid Server cases as its preliminary entry vector,” Microsoft wrote. “Based mostly on observations from previous campaigns and vulnerabilities present in goal environments, [we] assess that the exploits used have been most definitely associated to Log4j 2.”
In truth, the novel marketing campaign noticed by the Microsoft Risk Intelligence Middle (MSTIC) and Microsoft 365 Defender Analysis Staff differs from earlier MERCURY ones as it’s the first one during which the group exploits SysAid apps as a vector for preliminary entry.
“After gaining entry, MERCURY establishes persistence, dumps credentials, and strikes laterally inside the focused group utilizing each customized and well-known hacking instruments, in addition to built-in working system instruments for its hands-on-keyboard assault,” reads the advisory.
Microsoft additionally included a listing of widespread methods and tooling utilized by MERCURY, which embrace spearphishing, alongside packages such because the Venom proxy instrument, the Ligolo reverse tunneling approach and home-grown PowerShell packages.
Microsoft confirmed it notified clients which were focused or compromised, offering them with the knowledge wanted to safe their accounts. The corporate has additionally provided a listing of indicators of compromise (IOCs) linked to MERCURY’s exercise.
“We encourage our clients to analyze these indicators of their environments and implement detections and protections to determine previous associated exercise and forestall future assaults towards their techniques.”
Microsoft shouldn’t be the primary entity associating MERCURY with Iranian state actors. Earlier this yr, each U.Ok. and U.S. governments issued warnings connecting the group with the state’s MOIS.
