The U.S. government’s cybersecurity agency says hackers backed by the Iranian government compromised a federal agency that failed to patch against Log4Shell, a vulnerability fixed almost a year ago.
In an alert published Thursday, the Cybersecurity and Infrastructure Security Agency said that a federal civilian executive branch organization (FCEB) was breached by Iranian government hackers earlier in February.
CISA did not name the breached FCEB agency, a list that includes the likes of the Department of Homeland Security, the Department of the Treasury and the Federal Trade Commission, and CISA spokesperson Michael Feldman declined to answer our questions when reached by TechCrunch.
CISA said it first observed the suspected activity on the unnamed federal agency’s network months later in April while conducting retrospective analysis using Einstein, a government-run intrusion detection system used to protect federal civilian agency networks. The agency found that the hackers had exploited Log4Shell, a critical zero-day vulnerability in the ubiquitous open source logging software Log4j, in an unpatched VMware Horizon server to gain initial access into the organization’s network with administrator and system-level access.
VMware released security patches for Horizon servers in December. But this compromise happened even though CISA had ordered all federal civilian agencies to patch their systems affected by the Log4Shell vulnerability by December 23.
Once inside the organizations’ network, CISA observed the threat actors installed XMRig, open source crypto mining software that is commonly abused by hackers for mining virtual currency on compromised computers. The attackers also installed Mimikatz, an open source credential stealer, to harvest passwords and to create a new domain administrator account. Using this newly created account, the hackers disabled Windows Defender and implanted Ngrok reverse proxies on several hosts in order to maintain their access in the future.
The attackers also changed the password for the local administrator account on several hosts as a backup should the rogue domain administrator account get detected and terminated.
It’s not clear for what reason the hackers targeted the U.S. federal agency. Broad access to an organization’s network can be used for both espionage as well as launching destructive attacks.
CISA, which has not attributed the breach to a particular advanced persistent threat (APT) group, shared indicators of compromise (IOCs) to help network defenders detect and protect against similar compromises. CISA also said that organizations that haven’t yet patched VMware systems against Log4Shell should assume that they’ve already been breached and advises them to start hunting for malicious activity within their networks.
The agency also urges organizations to keep all software up-to-date, implement and prevent users from using known compromised passwords.