mobile-logo

Previous

< Advocate Aurora Health Data Leak

Security Insights / Data Breaches / Iranian APT Hacks US Federal Network

Iranian APT Uses Log4j Vulnerability

 

Iranian APT Uses Log4j Vulnerability To Hack US Federal Network

 

Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.

Author: Dalibor Gašić / Last Updated: 12/03/2022

Reviewed By: Michael Swanagan, CISSP, CISA, CISM

View OurEditorial Process

Table Of Contents

Summary Of The Attack

 

  • In December of last year, US federal agencies were the subject of hacking assaults, and companies were harmed.
  • The Department of the Treasury, the Department of Commerce, and the US Department of Homeland Security were all affected.
  • This time, according to the FBI and CISA, Iranian government-sponsored hackers accessed an undisclosed US federal agency’s network early this year, using the Log4Shell vulnerability to deploy crypto miners and compromised credentials.
  • Cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, advanced to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” according to the advisory.
  • The assault highlights the pervasiveness of the Log4j vulnerability, which made worldwide headlines a year ago and remains a live danger for many businesses.

PurpleSec risk management platform

 

 

What Happened?

 

According to the FBI and CISA, Iranian government-sponsored hackers accessed an undisclosed US federal agency’s network early this year, using the Log4Shell vulnerability to deploy crypto miners and compromised credentials.

 

In a more detailed statement, they say that the hackers broke into an unpatched VMware Horizon server in February 2022, with US security officials responding to the attack in June to clean up the network.

How The Attack Happened

 

“Cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, advanced to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” according to the advisory.

The Attack Path

 

The attack path used to breach US federal networks.

 

After this VMware Horizon server was detected, the threat actors utilized the following malicious IP address to create a connection: 82.54.217[.] 2

 

The actors included an exclusion rule for Windows Defender in the exploit payloads, which was activated by the following PowerShell command:

 

powershell try{Add-MpPreference -ExclusionPath ‘C:\’; Write-Host ‘added-exclusion’} catch {Write-Host ‘adding-exclusion-failed’ }; powershell -enc “$BASE64 encoded payload to download next stage and execute it”

 

This exclusion rule permitted the inclusion of the full drive c:/ on the exclusion list. Using this strategy, threat actors can download tools to the c:/drive without being identified by virus scans.

 

Following the download, a file.zip is extracted from 182.54.217[.]2, and the mde.ps1 is deleted from the disk.

 

That file was discovered by researchers. When the researchers probed deep into the zip file, they discovered crypto-mining software. The following utilities were also downloaded in a volume of roughly 30 megabytes from a site called transfer[.]sh.

 

We have listed the tools that threat actors have downloaded below:

 

  • PsExec: A Microsoft signed tool for system administrators.
  • Mimikatz: A credential theft tool.
  • Ngrok: A reverse proxy tool for proxying an internal service out onto a Ngrok domain.

 

Following the execution of Mimikatz on VDI-KMS, a rogue domain administrator account was established using the credentials obtained.

 

The actors utilized RDP to disseminate the newly established account to a number of machines on the network.

 

Threat actors have to conduct the following PowerShell command on Active Directory in order to get a footing in the network:

 

Powershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address &gt;

 

While the primary goal is to eventually get access to the domain controller, threat actors have modified the local administrator password as a backup in case the rogue domain admin access is identified and revoked.

enterprise vulnerability management services

Log4j Vulnerability Still Persists

 

The assault highlights the pervasiveness of the Log4j vulnerability, which made worldwide headlines a year ago and remains a live danger for many businesses, with CISA warning late last year that the issue might potentially infect hundreds of millions of devices.

 

“Log4j is particularly difficult to identify and patch as it may be bundled as a deep dependency in software bought and operated by companies without the resources to find and patch such a vulnerability,” Jamie Boote, software security consultant at Synopsys Software Integrity Group, told SC Media.

 

However, as part of an emergency Binding Operational Directive issued by CISA to civilian government agencies last year, federal agencies were meant to inventory all of their software assets against a CISA-managed GitHub repository of software believed to be impacted by the problem and prioritize patching.

 

It was eventually included to the agency’s Known Exploited Vulnerabilities database, which is a constantly updated list of vulnerabilities that civilian government agencies must detect and patch within two weeks

 

“We have alerted people affected and are revealing more here because we take our commitment to security, privacy, and openness seriously,” and they have also claimed that “We also investigated our logs, and found no indication of successful misuse.”

Wrapping Up

 

The bottom line is that we still have plenty of devices across the internet vulnerable to Log4j.

 

We are also aware that there are organizations that still do not understand the seriousness of such problems and vulnerabilities.

 

Organizations must continually focus on identifying and mitigating vulnerabilities inside their business in order to have the best possible protection.

 

Related Articles:

 

Dalibor Gašić - cyber security expert

Dalibor Gašić

Dalibor is a Senior Security Engineer with experience in penetration testing having recently served over 8 years in the Ministry of Internal Affairs in the Department of Cyber Security in Serbia.

Previous

Advocate Aurora Health Data Leak

Next

Microsoft 2.4 TB Data Leak

All Topics

More Security Insights