Yes, I know we tend to harp on about Log4J on this blog, and apologies for that upfront, but recent events have highlighted the importance of getting this fixed. If I was to say “Mango Sandstorm” to you, you could be excused for thinking this was an exotic cocktail.  In this case however, we are discussing the Iranian state-linked threat actor (also know as MERCURY, MuddyWater or DEV-1084).

Mango Sandstorm has made extensive use of Log4j vulnerabilities, especially Log4Shell, to gain initial access to victim environments^[2][5][4]. As discussed in this blog many times (and this video) ,this vulnerability, due to its ubiquity and ease of exploitation, allowed attackers to execute arbitrary code remotely by injecting malicious strings into log messages processed by vulnerable applications^[6][7]. This attacker likes to utilize this  exploit wherever they can:

1. Reconnaissance and Scanning: Mango Sandstorm actively scans for internet-facing systems running vulnerable versions of Log4j^[1][2].
2. Exploitation: Using the Log4Shell exploit, they achieve remote code execution, often by forcing the application to load malicious code via JNDI lookups^[3][4].
3. Post-Exploitation: They establish persistence, dump credentials, and move laterally, often targeting privileged accounts and hybrid identity infrastructure^[5][6].
4. Destruction or Espionage: Depending on the campaign, they may deploy ransomware to cover tracks or directly destroy cloud and on-premises resources^[7][8].

Mango Sandstorm remains a persistent and evolving threat, adept at leveraging vulnerabilities like Log4j for initial access and capable of both espionage and destructive operations. Their exploitation of Log4j highlights the ongoing risk posed by unpatched systems and the need for robust detection and response capabilities across both on-premises and cloud environments^[9]. This attackers use also highlights the longevity of the Log4j vulnerability.