Hackers Targeting Log4j 2 Vulnerabilities in SysAid Applications
The Microsoft Threat Intelligence Center (MSTIC) warns that a hacking group it calls MERCURY is using Log4j 2 vulnerabilities in SysAid applications to launch attacks against organizations in Israel. MSTIC says this is the first time they have observed SysAid being used as an initial access vector. The MSTIC blog offers an “analysis of observed MERCURY activity and related tools used in targeted attacks.” MSTIC says there is a high likelihood that MERCURY is affiliated with Iran’s Ministry of Intelligence and Security.
As the Log4j vulnerability became known, organizations often used generic exploits to scan their network. Exploitability for Log4j is tricky to determine as it all depends on how a particular application uses the framework. Do not ignore vendor patches just because some vulnerability scanner gave you a green light.
MERCURY (aka MuddyWater, Cobalt Ulster, Seedworm, static Kitten) was previously targeting VMWare instances with Log4J flaws, has now pivoted to SysAid. SysAid released Log4j patches in January, which appear not to have been applied. After you make sure that you’ve applied updates to SysAid, if you’re using it, make sure that you’re not overlooking other patches, such as VMWare, for fixes to flaws like Log4j. The attack reads like an exercise out of SANS SEC560 - the attackers are using Log4Shell flaws to get an initial footprint, then using PowerShell to drop web shells, then add a user, give it elevated privileges, and add attack tools to startup folders for persistence. From there, they are using Mimikatz for credential theft, RemCom for later movement, and send data to their C2 server using a custom version of the Ligolo tunnel/reverse proxy.