Last December, it has been reported that Iranian and Chinese hackers were exploiting the Log4Shell vulnerability in the wild. Now, according to the US Cyber security infrastructure and security Agency (CISA), an Iranian government-sponsored advanced persistent threat (APT) group has compromised the network of a US federal agency.
The attack, according to authorities, was launched against the Federal Civilian Executive Branch (FCEB).
Cyber attack details
CISA revealed that hackers used the Log4Shell vulnerability, tracked as CVE-2021-44228, in the unpatched VMware Horizon server to compromise the network and take control of the organization’s domain controller (DC). Once they managed to invade the system, the hackers deployed the XMRig crypto mining software to steal the credentials and mine the crypto.
For your information, Log4Shell is a zero-day vulnerability in a Java logging framework called Log4j which causes arbitrary code execution and affects VMware Horizon and a wide range of products.
According to CISA, their researchers conducted a routine investigation in April 2022 and identified suspicious APT activity on the FCEB network using the EINSTEIN intrusion detection system used by the agency.
They discovered two-way traffic traversing the network and one already found malicious IP address related to the exploitation of the Log4Shell vulnerability in VMware Horizon servers.
CISA further noted that HTTPS activity was initiated from IP address 51.89.18164 to the VMware server. Further investigation revealed that the IP address was associated with the Lightweight Directory Access Protocol (LDAP) server exploited by attackers to deploy Log4Shell.
Who are the attackers?
In a joint council from CISA, the Department of Homeland Security and the FBI, the attack was revealed to have been launched in February 2022. The attackers moved laterally to DC, stole credentials and planted reverse proxies Ngrok on multiple hosts to maintain persistence. US security officials responded in June to clean up the network.
Apparentlyhackers have been identified as Nemesis Kitten, and they launched the attack with the support of the Iranian government. Nemesis Kitten is an extension of Iranian malware group Phosphorus, and they regularly use well-known and highly exploitable vulnerabilities to facilitate ransomware attacks against organizations.
CISA warned that organizations still using the unpatched server versions should be concerned as they will eventually be compromised.