Hackers continue to exploit the Log4j vulnerability in vulnerable applications, as shown by the Iranian ‘MuddyWater’ threat actor who was found targeting Israeli organizations using the SysAid software.
The vulnerability in Log4j (“Log4Shell”) was discovered and patched in December 2021 but still plagues a wide range of applications that utilize the open-source library. One of those applications is SysAid, a help desk software that released security updates for the bugs in January.
MuddyWater, aka ‘MERCURY,’ is an espionage group believed to be operated directly by Iran’s Ministry of Intelligence and Security (MOIS), recently seen targeting telcos across the Middle East and Asia.
The operations of the particular hacking group align with Iran’s national interests, so they constantly implicate Israeli entities that are considered enemies of the state.
Exploiting SysAid for initial access
The latest MuddyWater hacking campaign outlined in a Microsoft report yesterday constitutes the first example of leveraging vulnerable SysAid applications to breach corporate networks.
MuddyWater previously targeted VMWare instances that carried Log4j flaws to drop web shells, but assuming that these were eventually patched, the threat actors explored alternative options.
SysAid is an excellent initial access vector in that sense, as it still incorporates Log4j, and numerous organizations use it as an IT management tool, service desk, and help desk solution.
The Iranian hackers exploit Log4Shell flaws for initial access, running malicious PowerShell via a specially crafted request sent to vulnerable endpoints and dropping web shells.
Having collected the required info via cmd.exe, the hackers add a user, elevate its privileges to a local administrator, and then add their attack tools in the startup folders to ensure persistence between reboots.
From there, MuddyWater can perform credential theft using Mimikatz, lateral movement via WMI and RemCom, and send stolen data to the C2 server via a customized version of the Ligolo tunneling tool.
Custom reverse proxy communications
Ligolo is an open-source reverse-tunneling tool that the hackers use for securing communications between backdoors and C2 infrastructure.
The modified version employed by MERCURY in the latest campaign comes in the form of an executable named “vpnui.exe.”
While Microsoft’s report doesn’t go into the details of the particular tool, we know from a March 2022 report by Security Joes that the hackers added useful features like execution checks and command-line parameters.
Security Joes had loosely attributed the appearance of the customized Ligolo to MuddyWater, and Microsoft’s recent report further confirms this attribution.
The report lists more details on MuddyWater detection opportunities and hunting queries in its last section, so make sure to check it if you’re within the group’s targeting scope.