Connect with us

Hi, what are you looking for?



Iranian Government Hackers Exploit Log4Shell in SysAid Apps for Initial Access

A threat group linked to the Iranian government appears to be the first to exploit the Log4Shell vulnerability in SysAid applications for initial access to the targeted organizations.

A threat group linked to the Iranian government appears to be the first to exploit the Log4Shell vulnerability in SysAid applications for initial access to the targeted organizations.

The Log4Shell vulnerability affecting the Apache Log4j logging utility came to light in December 2021. The flaw, identified as CVE-2021-44228, can be exploited for remote code execution and it has been leveraged by both profit-driven cybercriminals and state-sponsored cyberspies.

Log4Shell impacts the products of several major companies that use Log4j, but in many attacks the vulnerability has been exploited against affected VMware software.

Microsoft said the threat actor it tracks as Mercury has been known to exploit Log4j vulnerabilities, but it has done so against vulnerable VMware software, and this seems to be the first time they have targeted SysAid apps. The tech giant assesses with ‘moderate confidence’ that the hackers have exploited SysAid server instances.

SecurityWeek is not aware of any other attacks in which threat actors have exploited Log4Shell against SysAid applications.

SysAid, which provides IT service management solutions, addressed the Log4Shell vulnerability shortly after its existence came to light, but it seems some instances remain unpatched.

Mercury is also known as Seedworm, Static Kitten and MuddyWater. The group was officially linked earlier this year by the US government to Iran’s Ministry of Intelligence and Security.

Advertisement. Scroll to continue reading.

In the attacks observed by Microsoft in late July, Mercury targeted organizations located in Israel. It’s not uncommon for Iranian groups to target Israel.

“The threat actor leveraged Log4j 2 exploits against VMware applications earlier in 2022 and likely looked for similarly vulnerable internet-facing apps. SysAid, which provides IT management tools, might have presented as an attractive target for its presence in the targeted country,” Microsoft said.

After gaining access to the targeted system, the hackers established persistence, dumped credentials, and moved laterally within the organization using various tools. The threat actor conducted hands-on-keyboard activities.

“Exploiting SysAid successfully enables the threat actor to drop and leverage web shells to execute several commands,” Microsoft explained. “Most commands are related to reconnaissance, with one encoded PowerShell that downloads the actor’s tool for lateral movement and persistence.”

Related: US Agencies Warn Organizations of Log4Shell Attacks Against VMware Products

Related: Spring4Shell: Spring Flaws Lead to Confusion, Concerns of New Log4Shell-Like Threat

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.