Tuesday, April 29, 2025
HomeCyber Security NewsIranian state-sponsored Actors Exploiting Log4j 2 Flaws in Unpatched Systems

Iranian state-sponsored Actors Exploiting Log4j 2 Flaws in Unpatched Systems

Published on

SIEM as a Service

Follow Us on Google News

As far as exploiting unpatched Log4j systems to target Israeli entities are concerned, the Iranian state-sponsored threat actors leave no stone unturned to exploit these vulnerabilities, indicating that there is still a long tail for fixing this vulnerability.

It is believed that the group behind the latest set of activities has been identified as MuddyWater, an umbrella threat group. The organization has connections with Iran’s intelligence apparatus, MOIS.

As a distinctive aspect of the attacks, the SysAid Server instances used in the initial attack remained unsecured against the Log4Shell vulnerability. In this regard, the actors have departed from their traditional pattern of compromising target environments by leveraging VMware applications.

- Advertisement - Google News

Mercury uses both custom and well-known hacking tools, as well as integrated operating system tools, to set up a hands-on keyboard attack, once it has gained access to the target organization. 

Once the malware begins to establish persistence, it dumps credentials and moves throughout the organization using both custom and well-known hacking tools.

MERCURY Techniques & Tooling

These are some of the most common techniques used by Mercury:-

  • Adversary-in-the-mailbox phishing
  • Use of cloud file-sharing services
  • Use of commercial remote access applications
  • Tooling
  • Targeting

During the period from July 23 to July 25, 2022, Microsoft’s threat intelligence team observed a number of attacks conducted by foreign entities.

Reconnaissance is the primary function of most commands. This is done by downloading the actor’s tool for lateral movement and persistence through one encoded PowerShell script.

In the aftermath of the successful compromise, it is said that web shells were deployed to allow commands to be executed through the web. A lateral movement would then be possible, which would assist the actor in the process of reconnaissance, persistence, credential theft, etc.

A remote monitoring and management tool called eHorus is also used for C2 communications during intrusions, along with a reverse-tunneling tool called Ligolo, which is the tool of choice for adversaries for reverse tunneling communications.

Commands Executed

Here below we have mentioned the commands that are executed:-

  • cmd.exe /C whoami
  • cmd.exe /C powershell -exec bypass -w 1 -enc UwB….
  • cmd.exe /C hostname
  • cmd.exe /C ipconfig /all
  • cmd.exe /C net user
  • cmd.exe /C net localgroup administrators
  • cmd.exe /C net user admin * /add
  • cmd.exe /C net localgroup Administrators admin /add
  • cmd.exe /C quser

Recommendation

Here below we have mentioned all the mitigations provided by the security experts:-

  • It would be a good idea to check if your network uses SysAid.
  • For guidance on how to prevent, detect, and hunt for the exploitation of the Log4j 2 vulnerability, please refer to the detailed Guidance.
  • Assess your environment for possible intrusions using the included indicators of compromise.
  • Inbound traffic from IP addresses listed in the indicator of the compromise table should be blocked. 
  • Verify authenticity and investigate any anomalous behavior for remote access infrastructure, including single-factor authentication accounts. 
  • MFA mitigates potential credential compromise and ensures all remote connections are MFA enabled.

Secure Azure AD Conditional Access – Download Free White Paper

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

19 APT Hackers Target Asia-based Company Servers Using Exploited Vulnerabilities and Spear Phishing Email

The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat...

FBI Reports ₹1.38 Lakh Crore Loss in 2024, a 33% Surge from 2023

The FBI’s Internet Crime Complaint Center (IC3) has reported a record-breaking loss of $16.6...

Fog Ransomware Reveals Active Directory Exploitation Tools and Scripts

Cybersecurity researchers from The DFIR Report’s Threat Intel Group uncovered an open directory hosted...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

19 APT Hackers Target Asia-based Company Servers Using Exploited Vulnerabilities and Spear Phishing Email

The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat...

FBI Reports ₹1.38 Lakh Crore Loss in 2024, a 33% Surge from 2023

The FBI’s Internet Crime Complaint Center (IC3) has reported a record-breaking loss of $16.6...