An Iran-backed cyber threat group has been exploiting Log4j 2 vulnerabilities in order to target organizations in Israel, Microsoft warned on Thursday.
In a new report, the Microsoft Threat Intelligence Center (MSTIC) and its 365 Defender Team say that malicious group MERCURY has exploited remote code execution in Apache’s Log4j 2 (AKA Log4Shell), in vulnerable SysAid server instances.
Founded in 2002 in Israel, SysAid has grown to become a leading provider of help desk and IT service management. According to company information, it has over 5,000 customers and partners with organizations across 140 countries.
Microsoft’s researchers have previously assessed “in high confidence” that MERCURY is affiliated with Iran’s Ministry of Intelligence and Security (MOIS). MERCURY is also known as MuddyWater – which, according to the US Cyber Command, is a subordinate element within MOIS.
The group mostly targets other countries in the Middle East – although targets and the US and India were also on its list – and is known to track Iranian regime dissidents. First identified in 2017, it has been battling Israel for years. The current attack was observed on July 23rd and 25th, 2022.
“While MERCURY has used Log4j 2 exploits in the past, we have not seen this actor using SysAid apps as a vector for initial access until now,” says the Microsoft report.
“After gaining access, MERCURY establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on-keyboard attack.”
Last month, in a report submitted to US President Joe Biden, the Department of Homeland Security’s Cyber Safety Review Board (CSRB) addressed the continued risk posed by the vulnerabilities discovered in late 2021 in the widely-used Log4j open-source software library.
“The Log4j event is not over. The Board assesses that Log4j is an ‘endemic vulnerability’ and that vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains,” says the report.
The identity of the Israeli companies targeted, or the extent of damage caused, is unknown at the moment. The Israel National Cyber Directorate (INCD) does not comment on specific reports, and there is yet to be public reaction from SysAid.
Between cyber wars, nuclear deals and endless election rounds
Israel is currently engaged in a diplomatic blitz to stop the resurrection of the Ian nuclear deal, which appears to be looming – or at least include several changes. But regardless of a possible agreement, the cyber war between the two countries has greatly intensified over the past few years.
In June, Israel’s Cyber Directorate Chief, Gabi Portnoy, said that “Iran has become our dominant rival in cyber, together with (proxies) Hezbollah and Hamas,” and stressed the need for a “cyber dome” that would protect the country’s cyber sphere much like the “Iron Dome” system protects it from missiles and rockets.
Earlier in August, Mandiant revealed it had been tracking another Iranian-linked group, UNC3890, which has been targeting Israeli shipping, government, energy and healthcare organizations “via social engineering lures and a potential watering hole.” This campaign, active since at least 2020, was still ongoing when the cybersecurity company learned of its existence.
On November 1st, Israel’s citizens will head to the polls once again, for the 5th time in 3.5 years, to elect a new government. Defense experts and cyber analysts are concerned of possible foreign state-backed intervention (from Iran and other nations) through fake news, social engineering campaigns and more – and not for the first time.