A threat group linked to the Iranian government appears to be the first to exploit the Log4Shell vulnerability in SysAid applications for initial access to the targeted organizations.
The Log4Shell vulnerability affecting the Apache Log4j logging utility came to light in December 2021. The flaw, identified as CVE-2021-44228, can be exploited for remote code execution and it has been leveraged by both profit-driven cybercriminals and state-sponsored cyberspies.
Log4Shell impacts the products of several major companies that use Log4j, but in many attacks the vulnerability has been exploited against affected VMware software.
Microsoft said the threat actor it tracks as Mercury has been known to exploit Log4j vulnerabilities, but it has done so against vulnerable VMware software, and this seems to be the first time they have targeted SysAid apps. The tech giant assesses with ‘moderate confidence’ that the hackers have exploited SysAid server instances.
SecurityWeek is not aware of any other attacks in which threat actors have exploited Log4Shell against SysAid applications.
SysAid, which provides IT service management solutions, addressed the Log4Shell vulnerability shortly after its existence came to light, but it seems some instances remain unpatched.
Mercury is also known as Seedworm, Static Kitten and MuddyWater. The group was officially linked earlier this year by the US government to Iran’s Ministry of Intelligence and Security.
In the attacks observed by Microsoft in late July, Mercury targeted organizations located in Israel. It’s not uncommon for Iranian groups to target Israel.
“The threat actor leveraged Log4j 2 exploits against VMware applications earlier in 2022 and likely looked for similarly vulnerable internet-facing apps. SysAid, which provides IT management tools, might have presented as an attractive target for its presence in the targeted country,” Microsoft said.
After gaining access to the targeted system, the hackers established persistence, dumped credentials, and moved laterally within the organization using various tools. The threat actor conducted hands-on-keyboard activities.
“Exploiting SysAid successfully enables the threat actor to drop and leverage web shells to execute several commands,” Microsoft explained. “Most commands are related to reconnaissance, with one encoded PowerShell that downloads the actor’s tool for lateral movement and persistence.”