Iranian state-sponsored cyber criminals used an unpatched Log4j flaw to break into a US government network, illegally mine for cryptocurrency, steal credentials and change passwords, and then snoop around undetected for several months, according to CISA.
In an alert posted Wednesday, the US cybersecurity agency said it detected the advanced persistent threat (APT) activity on an unnamed federal civilian executive branch (FCEB) organization’s network in April.
“CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors,” according to the alert.
During the investigation, incident responders determined that the criminals gained initial access in February by exploiting Log4Shell. This, of course, is the vulnerability in the widely used Apache Log4j open-source logging library discovered back in November 2021.
Shortly after, CISA issued an emergency directive requiring federal agencies to plug the hole by December 23, 2021. But it looks like someone missed the memo, and a couple of months later miscreants exploited the bug for initial access to the organization’s unpatched VMware Horizon server.
After breaking in, the Iranians installed XMRig on the server to mine for cryptocurrency — because why not make a passive buck or two while spying? They then moved laterally to a VMware VDI-KMS host before downloading a Microsoft-signed tool for system administrators (PsExec) along with Mimikatz to steal credentials, and reverse proxy tool Ngrok, which allowed them to bypass firewall controls and maintain access to the network.
The crooks also changed the password for the local administrator account on several hosts as a plan B just in case the rogue domain admin account was flagged and terminated. They tried to dump the Local Security Authority Subsystem Service (LSASS) process, but were stopped by antivirus code installed on the machines, we’re told.
In the alert, CISA and the FBI suggest several mitigation measures organizations should take to improve their security posture.
First on the list — for the love of god, people — patch the damn VMware Horizon systems to ensure they aren’t running buggy Log4j code. “If updates or workarounds were not promptly applied following VMware’s release of updates for Log4Shell in December 2021, treat those VMware Horizon systems as compromised,” the Feds noted.
Despite it being almost a year since the discovery of Log4Shell, “I’m not surprised we are seeing reports like today’s CISA and FBI advisory,” Chainguard CEO and co-founder Dan Lorenc told The Register.
“Log4shell is endemic and it’s going to be around forever,” he added. “It will remain in every attacker’s toolbox and continue to be used to gain access or for lateral movement for the foreseeable future.”
But, he added, recent moves including White House meetings and legislation to secure pen source software means “not all hope is lost.”
Meanwhile, CISA and friends advise keeping all software up to date and prioritize patching known exploited vulnerabilities.
Organizations should also isolate essential services in a segregated, demilitarized zone, so they’ve not exposed to internet-facing attacks.
Additionally, keep credentials safe by creating a “deny list” of known compromised usernames and passwords, and CISA suggests also using a local device credential protection feature.
Today’s cybersecurity warning comes as the US has issued new sanctions against Iranian individuals and organizations in response to the state’s brutal crackdown against protestors who condemned Mahsa Amini‘s murder in September.
Uncle Sam has also recently issued indictments against three Iranians linked to the country’s Islamic Revolutionary Guard Corps (IRGC) for their alleged roles in plotting ransomware attacks against American critical infrastructure.
The country’s cozy relationship with cybercriminals makes it difficult to distinguish between state-sponsored murderers and cyberspies such as the IRGC and hackers-for-hire, Mandiant’s head of intelligence analysis John Hultquist told The Register.
“Iran and their peers depend on contractors to carry out cyber espionage and attack activities,” he said. “Many of these contractors moonlight as criminals and it can be difficult to distinguish this activity from the work done at the behest of the state.”
The Google-owned threat intel firm “suspects that at least in some cases the state ignores the crime as part of the Faustian bargain they strike in order to access the talent and capabilities available outside the public sector,” Hultquist said. ®