Iran-based threat actor MuddyWater (tracked by Microsoft as MERCURY) has been leveraging the exploitation of Log4j 2 vulnerabilities in SysAid applications to target organizations in Israel.
The news comes from a new advisory from Microsoft’s security researchers, who said on Thursday they could assess with high confidence that MERCURY’s observed activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
“On July 23 and 25, 2022, MERCURY was observed using exploits against vulnerable SysAid Server instances as its initial access vector,” Microsoft wrote. “Based on observations from past campaigns and vulnerabilities found in target environments, [we] assess that the exploits used were most likely related to Log4j 2.”
In fact, the novel campaign spotted by the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team differs from previous MERCURY ones as it is the first one in which the group exploits SysAid apps as a vector for initial access.
“After gaining access, MERCURY establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack,” reads the advisory.
Microsoft also included a list of common techniques and tooling used by MERCURY, which include spearphishing, alongside programs such as the Venom proxy tool, the Ligolo reverse tunneling technique and home-grown PowerShell programs.
Microsoft confirmed it notified customers that have been targeted or compromised, providing them with the information needed to secure their accounts. The company has also supplied a list of indicators of compromise (IOCs) connected to MERCURY’s activity.
“We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.”
Microsoft is not the first entity associating MERCURY with Iranian state actors. Earlier this year, both U.K. and U.S. governments issued warnings connecting the group with the state’s MOIS.