The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has reported a security breach involving a federal agency, attributed to threat actors affiliated with the Iranian government. The attackers exploited the Log4Shell vulnerability found in an unpatched VMware Horizon server, demonstrating a sophisticated exploitation technique.
The breach, which occurred between mid-June and mid-July 2022, highlights serious vulnerabilities that can be weaponized if not addressed promptly. CISA detailed that the attackers installed XMRig cryptocurrency mining software after exploiting the Log4Shell vulnerability, subsequently moving laterally to the domain controller (DC) and compromising credentials, leading to further infiltration.
Log4Shell, officially recognized as CVE-2021-44228, is a severe remote code execution flaw in the Apache Log4j logging library that was patched by developers in December 2021. Despite the availability of a fix, Iranian state-sponsored hackers have continued to target systems vulnerable to this flaw, particularly VMware Horizon servers, illustrating the ongoing risk posed by unpatched vulnerabilities.
According to CISA, the affected agency was breached as early as February 2022, with the attackers leveraging the vulnerability to modify Windows Defender exclusion rules, allowing downloads to occur without triggering antivirus alerts. This tactic facilitated the introduction of XMRig, among other malicious payloads.
In addition to cryptocurrency mining, the intruders managed to acquire a range of tools, including PsExec and Mimikatz, allowing them to further navigate the network and execute commands. They also utilized Remote Desktop Protocol (RDP) for lateral movement while attempting to disable Windows Defender protections on various endpoints, signifying advanced operational tactics outlined in the MITRE ATT&CK framework, particularly regarding initial access and persistence.
Moreover, the actors attempted to dump sensitive information from the Local Security Authority Subsystem Service (LSASS) using Windows Task Manager, although these efforts were thwarted by the active antivirus measures in place. Microsoft has emphasized that extracting credentials from LSASS is critical for attackers, as it holds a wealth of valid credentials, including those belonging to domain administrators.
CISA’s insights underscore the necessity for vigilance in cybersecurity protocols, especially with respect to maintaining updated defenses against known vulnerabilities. The agency has not publicly attributed the attack to a specific Iranian hacking group, yet a joint advisory from nations including Australia and the U.K. previously indicated involvement from Iran’s Islamic Revolutionary Guard Corps (IRGC) in exploiting similar vulnerabilities.
As cyber threats continue to evolve in complexity, organizations must prioritize timely updates and comprehensive security assessments to mitigate the increasingly sophisticated tactics employed by adversaries.