Security Experts:

Connect with us

Hi, what are you looking for?



Iranian Government Hackers Exploit Log4Shell in SysAid Apps for Initial Access

A threat group linked to the Iranian government appears to be the first to exploit the Log4Shell vulnerability in SysAid applications for initial access to the targeted organizations.

A threat group linked to the Iranian government appears to be the first to exploit the Log4Shell vulnerability in SysAid applications for initial access to the targeted organizations.

The Log4Shell vulnerability affecting the Apache Log4j logging utility came to light in December 2021. The flaw, identified as CVE-2021-44228, can be exploited for remote code execution and it has been leveraged by both profit-driven cybercriminals and state-sponsored cyberspies.

Log4Shell impacts the products of several major companies that use Log4j, but in many attacks the vulnerability has been exploited against affected VMware software.

Microsoft said the threat actor it tracks as Mercury has been known to exploit Log4j vulnerabilities, but it has done so against vulnerable VMware software, and this seems to be the first time they have targeted SysAid apps. The tech giant assesses with ‘moderate confidence’ that the hackers have exploited SysAid server instances.

SecurityWeek is not aware of any other attacks in which threat actors have exploited Log4Shell against SysAid applications.

SysAid, which provides IT service management solutions, addressed the Log4Shell vulnerability shortly after its existence came to light, but it seems some instances remain unpatched.

Mercury is also known as Seedworm, Static Kitten and MuddyWater. The group was officially linked earlier this year by the US government to Iran’s Ministry of Intelligence and Security.

In the attacks observed by Microsoft in late July, Mercury targeted organizations located in Israel. It’s not uncommon for Iranian groups to target Israel.

“The threat actor leveraged Log4j 2 exploits against VMware applications earlier in 2022 and likely looked for similarly vulnerable internet-facing apps. SysAid, which provides IT management tools, might have presented as an attractive target for its presence in the targeted country,” Microsoft said.

After gaining access to the targeted system, the hackers established persistence, dumped credentials, and moved laterally within the organization using various tools. The threat actor conducted hands-on-keyboard activities.

“Exploiting SysAid successfully enables the threat actor to drop and leverage web shells to execute several commands,” Microsoft explained. “Most commands are related to reconnaissance, with one encoded PowerShell that downloads the actor’s tool for lateral movement and persistence.”

Related: US Agencies Warn Organizations of Log4Shell Attacks Against VMware Products

Related: Spring4Shell: Spring Flaws Lead to Confusion, Concerns of New Log4Shell-Like Threat

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.