The U.S. Cyber Intelligence and Infrastructure Security Agency (CISA) released a report on 16 November 2022, regarding the intrusion of Iranian hackers into the federal agency’s network. Cybercriminals have exploited an unpatched VMware Horizon server that is vulnerable to Log4Shell (CVE-2021-44228), a critical and high-profile vulnerability from late last year. Hackers were able to install XMRig cryptocurrency mining software on the vulnerable server [1], followed by PsExec programs [2], Mimikatz [3]and Ngrok [4].
Using the given tools, the attackers were able to take over credentials, create a new administrator account, disable Windows Defender, and place Ngrok on several hosts to maintain access. In addition, passwords for local administrator accounts on several hosts were changed, in case a newly created account is detected and deleted.
The network scan in which the suspicious activity was observed took place in April 2022, and incident response activities began in mid-June and lasted a month.
Information about the discovery of the Log4Shell vulnerability was published on December 10, 2021, and even then, the experts said it was the most serious vulnerability in decades. Nevertheless, there are still institutions that neglect the steps to improve security and fail to install updates to vulnerable systems and devices.
[1]xMrig – software used to mine the Monero cryptocurrency.
[2]psExec – a tool that allows you to execute commands on remote computers.
[3]mimikatz – a tool used to collect credentials on Microsoft Windows systems.
[4]ngrok – an application that allows tunneling traffic from the Internet to a local computer, used to make locally hosted applications available to the world.
Sources:
Alert (AA22-320A). Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester
Iranian hackers and the Log4Shell vulnerability. US federal agency’s network hacked
Security Crypto Apps Events Advertise More Instafest app lets you create your own festival lineup from Spotify
