In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team detected Iran-based threat actor MERCURY leveraging exploitation of Log4j 2 vulnerabilities in SysAid applications against organizations all located in Israel. MSTIC assesses with high confidence that MERCURY’s observed activity was affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
While MERCURY has used Log4j 2 exploits in the past, such as on vulnerable VMware apps, we have not seen this actor using SysAid apps as a vector for initial access until now. After gaining access, MERCURY establishes persistence, dumps credentials, and moves laterally within the targeted organization using both custom and well-known hacking tools, as well as built-in operating system tools for its hands-on keyboard attack.
This blog details Microsoft’s analysis of observed MERCURY activity and related tools used in targeted attacks. This information is shared with our customers and industry partners to improve the detection of these attacks, such as implementing detections against MERCURY’s tools in both Microsoft Defender Antivirus and Microsoft Defender for Endpoint. As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised, providing them with the information needed to secure their accounts.
