Iran-linked threat actors compromise US Federal Network

Iran-linked threat actors compromised a Federal Civilian Executive Branch organization using a Log4Shell exploit and installed a cryptomining malware.

According to a joint advisory published by the FBI and CISA, an Iran-linked APT group compromised a Federal Civilian Executive Branch (FCEB) organization using an exploit for the Log4Shell flaw (CVE-2021-44228) and deployed a cryptomining malware.

Log4Shell impacts the products of several major companies that use Log4j, but in many attacks, the vulnerability has been exploited against affected VMware software.

In this specific case, the Iranian hackers hacked an unpatched VMware Horizon server to gain remote code execution.

“CISA obtained four malicious files for analysis during an on-site incident response engagement at a Federal Civilian Executive Branch (FCEB) organization compromised by Iranian government sponsored advanced persistent threat (APT) actors.” reads the Malware Analysis Report (AR22-320A) published by CISA. These files have been identified as variants of the XMRIG cryptocurrency mining software. The files include a kernel driver, two Windows executables, and a configuration file to control one of the executable’s behavior on the network and infected host.”

CISA conducted an incident response engagement in the impacted Federal Civilian Executive Branch (FCEB) organization between mid-June and mid-July 2022.

The government experts discovered that after the installation of the XMRig crypto miner, the attackers performed lateral movement reaching the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence within the compromised network.

“CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.” reads the joint advisory. “CISA and FBI are releasing this Cybersecurity Advisory (CSA) providing the suspected Iranian government-sponsored actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help network defenders detect and protect against related compromises.”

CISA and FBI encourage all organizations running vulnerable VMware servers to assume compromise and initiate threat-hunting activities.

The join advisory urges organizations that suspect initial access or compromise to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts. The advisory includes recommendations to protect against similar malicious cyber activity.

CISA and FBI recommend:

• Install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version.
• Keep all software up to date and prioritize patching known exploited vulnerabilities (KEVs).
• Minimize the internet-facing attack surface.
• Use best practices for identity and access management (IAM).
• Audit domain controllers.
• Create a deny list of known compromised credentials.
• Secure credentials by restricting where accounts and credentials can be used.

In June, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), published a joint advisory to warn of hacking attempts exploiting the Log4Shell flaw in VMware Horizon servers to compromise target networks.

“CISA and the United States Coast Guard Cyber Command (CGCYBER) have released a joint Cybersecurity Advisory (CSA) to warn network defenders that cyber threat actors, including state-sponsored advanced persistent threat (APT) actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon® and Unified Access Gateway (UAG) servers to obtain initial access to organizations that did not apply available patches.” reads the advisory.

The CVE-2021-44228 flaw made the headlines in December after Chinese security researcher p0rz9 publicly disclosed a Proof-of-concept exploit for the critical remote code execution zero-day vulnerability (aka Log4Shell) that affects the Apache Log4j Java-based logging library.

In one attack documented by government experts, threat actors were able to move laterally inside the network and collect and exfiltrate sensitive data.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

[adrotate banner=”5″]

[adrotate banner=”13″]