Iranian government-sponsored advanced persistent threat (APT) actors breached the Federal Civilian Executive Branch (FCEB) and its network, according to a cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI). 

In the course of incident response activities, CISA determined that the APT actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.   

From mid-June through mid-July 2022, CISA conducted an onsite incident response engagement and determined that the organization was compromised as early as February 2022 by likely Iranian government-sponsored APT actors.

CISA and the FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat-hunting activities. If suspected initial access or compromise is detected based on indicators of compromise (IOCs) or actors’ tactics, techniques, and procedures (TTPs), the federal agencies encourage all organizations to assume lateral movement by threat actors, investigate connected systems (including the DC), and audit privileged accounts.

All organizations, regardless of identified evidence of compromise, should apply recommendations in the mitigations section of the cybersecurity advisory to protect against similar malicious cyber activity, including:

• Install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest versions
• Keep all software updated and prioritize patching known exploited vulnerabilities (KEVs).
• Minimize the internet-facing attack surface
• Use best practices for identity and access management (IAM)
• Audit domain controllers 
• Create a deny list of known compromised credentials
• Secure credentials by restricting where accounts and credentials can be used

In addition to applying mitigations, CISA and FBI recommend exercising, testing, and validating the organization’s security program against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework in the advisory. 

Yaron Kassner, CTO and Co-Founder of Silverfort, says, “The alert from CISA is evidence of the unfortunate legacy we were warned to expect from Log4Shell at the time of its discovery. It is a gift to state actors and access brokers, and this attack is proof of the impact critical vulnerabilities such as this can have when left unpatched. As we see here, once a toehold is gained — attackers are then able to simply pick up administrator credentials and use them to move laterally before eventually compromising the entire domain. This emphasizes the need for MFA inside the network, which was clearly missing here. Hopefully, crypto-mining was the sole outcome of this attack and not more than that.” 

When Log4Shell initially was announced, Christopher Hallenbeck, Chief Information Security Officer, Americas at Tanium, says, “most security practitioners knew this would be a long-lived issue given how many places the vulnerable software was embedded, along with the difficulty in identifying its presence.” Hallenbeck says the industry will continue to see reports like this exploiting not just Log4Shell but other as yet unknown vulnerabilities hidden within a Software Bill Of Materials (SBOM).  “The challenge has been so great that the government is moving forward with a plan to require an SBOM be created for all software deployed on federal systems.” 

Hallenbeck adds, "Time favors the attacker, and the unfortunate reality is that small agencies may not have the resources to support a robust cybersecurity program so they must find ways to improve patching efficacy and increase visibility across their estate. Having access to real-time data and a rapid remediation capability is fundamental to enabling FECB agencies to quickly identify and respond to these types of attacks. A nation-state attacker might engage in financially motivated hacking as a way to augment their operations and maintain funding especially when faced with economic uncertainty and other financial sanctions. Crypto offers a convenient means of obtaining and moving funds in a way that could bypass such sanctions. North Korean hackers have previously been reported as having been involved in large scale funds transfer thefts, so reporting of Iranian state-backed hackers doing similar is unsurprising.” 

Karl Steinkamp, Director of Delivery Transformation and Automation at Coalfire, recommends organizations ensure they have prevention and detection measures in place to eliminate the effectiveness of these types of attacks while vendor security patching is conducted. "These measures include but are not limited to: 1. running regular internal and external vulnerability scans; 2. conducting regular penetration testing activities to proactively identify these before being exploited by malicious actors; and 4. Maintaining and reviewing adequate system and application-level logging," Steinkamp says.