Iranian government-sponsored threat actors have been blamed for
compromising a U.S. federal agency by taking advantage of the
Log4Shell vulnerability in an unpatched VMware Horizon server.
The details, which were shared by the U.S. Cybersecurity and
Infrastructure Security Agency (CISA), come in response to incident
response efforts undertaken by the authority from mid-June through
mid-July 2022.
“Cyber threat actors exploited the Log4Shell vulnerability in an
unpatched VMware Horizon server, installed XMRig crypto mining
software, moved laterally to the domain controller (DC),
compromised credentials, and then implanted Ngrok reverse proxies
on several hosts to maintain persistence,” CISA noted[1].
LogShell, aka CVE-2021-44228[2], is a critical remote
code execution flaw in the widely-used Apache Log4j Java-based
logging library. It was addressed by the open source project
maintainers in December 2021.
The latest development marks[3]
the continued[4]
abuse[5]
of the Log4j vulnerabilities in VMware Horizon servers by Iranian
state-sponsored groups since the start of the year. CISA did not
attribute the event to a particular hacking group.
However, a joint advisory[6]
released by Australia, Canada, the U.K., and the U.S. in September
2022 pointed fingers at Iran’s Islamic Revolutionary Guard Corps
(IRGC) for leveraging the shortcomings of post-exploitation
activities.
The affected organization, per CISA, is believed to have been
breached as early as February 2022 by weaponizing the vulnerability
to add a new exclusion rule to Windows Defender that allowlisted
the entire C:\ drive.
Doing so made it possible for the adversary to download a
PowerShell script without triggering any antivirus scans, which, in
turn, retrieved the XMRig[7]
cryptocurrency mining software hosted on a remote server in the
form of a ZIP archive file.
The initial access further afforded the actors to fetch
additional files such as PsExec[8], Mimikatz[9], and Ngrok[10], in addition to using
RDP[11] for lateral movement
and disabling Windows Defender on the endpoints.
“The threat actors also changed the password for the local
administrator account on several hosts as a backup should the rogue
domain administrator account get detected and terminated,” CISA
noted.
Also detected was an unsuccessful attempt at dumping the Local
Security Authority Subsystem Service (LSASS) process using the
Windows Task Manager, which was blocked by the antivirus solution
deployed in the IT environment.
Microsoft, in a report last month, revealed that cybercriminals
are targeting credentials in the LSASS process owing to the fact
that it “can store not only a current user’s OS credentials but
also a domain admin’s.”
“Dumping LSASS credentials is important for attackers because if
they successfully dump domain passwords, they can, for example,
then use legitimate tools such as PsExec or Windows Management
Instrumentation (WMI) to move laterally across the network,” the
tech giant said[12].
References
- ^
noted
(www.cisa.gov) - ^
CVE-2021-44228
(thehackernews.com) - ^
marks
(thehackernews.com) - ^
continued
(thehackernews.com) - ^
abuse
(thehackernews.com) - ^
joint
advisory (thehackernews.com) - ^
XMRig
(www.cisa.gov) - ^
PsExec
(attack.mitre.org) - ^
Mimikatz
(attack.mitre.org) - ^
Ngrok
(attack.mitre.org) - ^
RDP
(attack.mitre.org) - ^
said
(www.microsoft.com)
Read more https://thehackernews.com/2022/11/iranian-hackers-compromised-us-federal.html