Microsoft: Nation-state Iranian hackers exploit Log4Shell against Israel


Iranian hacking group MuddyWater, allegedly linked to the country’s state intelligence agency, continues to exploit the Log4j vulnerability to gain access to corporate networks in Israel amid an ongoing proxy war between the two countries, according to new research.

The threat actor, also known as Mercury, is targeting vulnerabilities in SysAid, a popular IT management software used by many Israeli organizations, according to a report published by Microsoft on Thursday.

The US Cyber ​​Command said earlier this year that the group is affiliated with Iran’s intelligence and security ministry. In December, the group targeted telecommunications and IT service providers in the Middle East and Asia.

Discovered by Microsoft in late July, MuddyWater’s new attack is another example of state-sponsored operations that exploit Log4Shell, a vulnerability in the Log4j Java library used to add logging functionality to web and desktop applications .

In early December, Microsoft discovered that nation-state groups from China, Iran, North Korea, and Turkey were abusing Log4Shell to gain access to targeted networks. For example, MuddyWater used bugs in Log4j to exploit vulnerabilities in VMware apps, which were eventually patched.

Looking for an alternative, Iranian hackers have turned to SysAid, another attractive target as it is used by numerous organizations in Israel, according to Microsoft.

The group used Log4j bugs to gain initial access to unpatched SysAid systems and dropped an infected script, a web shell, to run malicious commands. The hackers then added a new user and elevated their privilege to a local administrator. They also added malware to startup folders to ensure access even if the victim rebooted their system.

Image: Microsoft

According to Microsoft, the hackers stole user credentials using the open-source Mimikatz application.

Microsoft urged organizations using SysAid to apply security patches and update affected products and services. SysAid rolled out Log4j patches to its products in January, a month after an employee at Chinese tech giant Alibaba discovered a bug.

Microsoft has also published indicators of compromise that companies can use to investigate if they are present in their systems.

Log4j is present in almost all major Java-based enterprise applications and servers. Open-source projects like Redis, ElasticSearch, Elastic Logstash, and NSA’s Ghidra use it to some extent. Companies whose servers could be vulnerable to Log4Shell attacks include Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, and Baidu.

With a score of 10/10 on the CVSSv3 severity scale, Log4Shell exposes hundreds of millions of devices to exploits, cybersecurity experts warn.

In early August, the US Department of Homeland Security acknowledged that it will take years for Log4j to be found and fixed. Researchers also call it an “endemic vulnerability.”

In December, the US Agency for Cybersecurity and Infrastructure Security ordered all civilian federal agencies to update their software in response to the threat.

Daryna Antoniuk is a freelance reporter for The Record based in Ukraine. She writes about cybersecurity startups, cyber attacks in Eastern Europe and the state of the cyber war between Ukraine and Russia. She was previously a tech reporter for Forbes Ukraine. Her work has also been published by Sifted, The Kyiv Independent and The Kyiv Post.


About Author

Comments are closed.