Iranian threat actors exploits Log4Shell vulnerability in SysAid apps
According to recent reports, Iranian Government hackers have managed to exploit the Log4Shell vulnerability in SysyAid Apps for initial access to the targeted organizations. Microsoft has tracked the threat actors as Mercury.
The Log4Shell vulnerability first surfaced in the year 2021 when it was affecting the Apache Log4j logging utility. Authorities identified the flaw as CVE-2-21-44228 and it could exploit remote code execution. Many profit-driven cybercriminals and state-sponsored cyberspies leveraged the flaw.
The Log4Shell vulnerability victimizes products of several major companies, which uses Log4j. However, in many instances it has also been exploited against VMware software.
Mercury has previously exploited Log4j vulnerabilities. However, this turns out to be the first time for the threat actor to target SysAid apps. Previoulsy it did so agajnst VMware software. Microsoft expressed moderate confidence in regards to the hackers exploiting SysAid server instances.
There has not been any other reports of threat actors exploiting Log4Shell against SysAid applications.
SysAid provides IT service management solutions. They officially addressed the Log4Shell vulnerability soon after researchers discovered it. However, some instances still remain unpatched.
Microsoft asserted that the threat actor has leveraged Log4j exploits against VMware applications in the early part of 2022. They likely looked for similar apps on the internet with potential of possessing such vulnerabilities. According to Microsoft, SysAid have must appeared as an attractive target for its presence in the targeted country.