The Cybersecurity and Infrastructure Security Agency (CISA) said Iranian hackers failed to patch the Log4Shell vulnerability and compromised a federal agency that deployed cryptominers.of Log4Shell Vulnerability (CVE-2021-44228) is a critical remote code execution flaw in Apache’s Log4j logging library, popular with Java developers.
of violation It occurred as early as February 2022, affecting an unnamed Federal Civilian Administration (FCEB).But the Washington Post Identified The federal agency compromised was the United States Merit System Protection Commission, according to people familiar with the case.
Iranian Hackers Install XMRig Crypto Miner in Federal System
CISA discovered the intrusion in April during a network-wide analysis using intrusion detection system Einstein. The security agency found “two-way traffic between a network and a known malicious IP address associated with exploiting the Log4Shell vulnerability.”
CISA then conducted an “incident response operation” from mid-June to mid-July 2022 and discovered “suspicious advanced and persistent threat activity.”
Once inside, Iranian hackers deployed the XMRig open-source XMRig crypto miner. This is popular with hackers to earn virtual currency using the victim’s computing resources. CISA’s analysis identified several files associated with the XMRig crypto miner, including WinRing0x64.sys, the XMRig Miner driver, and the crypto miner service wacltservice.exe.
The response team also identified another file, RuntimeBroker.exe, associated with a cryptominer that could create local user accounts and check internet connectivity.
“A cyberthreat actor exploited the log4shell vulnerability in the XMRig crypto-mining software installed on an unpatched VMware Horizon Server to laterally move to a domain controller (DC) and exfiltrate credentials. We compromised and implanted Ngrok reverse proxies on multiple hosts to maintain persistence,” the report notes.
The Iranian hackers also changed the passwords of local administrator accounts on multiple hosts as a backup access method in case access to compromised systems were suspended. Additionally, they attempted to use his Windows Task Manager to dump the Local Security Authority Subsystem Service (LSASS) process, which was blocked by antivirus software. According to Microsoft, the attacker targeted her LSASS because it stores passwords for both local and domain administrators. As such, legitimate tools like PsExec and Windows Management Instrumentation (WMI) can be used to dump credentials without suspicion.
Iranian hackers installed a cryptocurrency miner, but earning cryptocurrency could have been the next target of cyber espionage campaigns. Christopher Hallenbeck, Chief Information Security Officer, Americas tanium “Nation-state attackers may engage in financially motivated hacking as a way to strengthen operations and preserve funds, especially in the face of economic uncertainty and other financial sanctions.”
“North Korean hackers have been previously reported to be involved in large-scale money theft, so reports of Iranian government-backed hackers doing the same are not surprising,” Hallenbeck said. Stated.
Mike Parkin, Senior Technical Engineer vulcan cyber We consider the deployment of cryptominers to be an added bonus and a disguise for criminal activity.
“The real question when targeting crypto-mining malware is why not? It is not uncommon for nation-states and state-sponsored threat actors to behave like common cybercriminal groups. It can help obfuscate the source of threats and at the same time generate extra cash from criminal activity.”
Similarly, Karl Steinkamp, Director of Delivery Transformation and Automation, said: charcoal fire We believe that installing cryptominers was not uncommon for nation-state attackers.
“It is not uncommon for malicious individuals/groups to bundle XMRig, a flexible and lightweight cryptocurrency miner, with other exploits and persistent threat mechanisms.”
Iranian hackers exploit unpatched Log4Shell vulnerability in VMware Horizon servers
According to a joint advisory by CISA and the FBI, hackers suspected of being backed by the Iranian government exploited an unpatched Log4Shell vulnerability in the logging library affecting VMware’s Horizon server.
VMware released a patch for the Log4Shell vulnerability in December 2021, while the Log4j maintainers also patched their systems in the same month. In addition, CISA has directed all federal civilian agencies to patch their systems by Dec. 23, and released tools to help organizations detect his Log4Shell vulnerability in their systems.
Security experts believe the Log4Shell vulnerability abused over the yearsAccording to CISA, any organization that does not patch the vulnerability should be considered compromised.
“When Log4Shell was first announced, most security experts believed this was a long-standing problem given the number of places vulnerable software was embedded and the difficulty of identifying its existence. I knew it was going to happen,” said Hallenbeck. “We expect to continue to see reports like this exploiting unknown vulnerabilities hidden not only in Log4Shell, but also in the Software Bill Of Materials (SBOM). , moving forward with plans to require that an SBOM be created for all software deployed on federal systems.”