US federal agency breached by Iranian state-backed hackers via Log4Shell exploit

The White House is the daytime
(Image credit: Shutterstock)

The US government has revealed Iranian state-sponsored cyber attackers successfully breached a federal agency by exploiting Log4Shell.

The Iranian-backed hackers have not been attributed to any known threat actor at this time, but the hackers used their access to deploy the XMRig crypto miner and the Mimikatz credential harvester.

According to a joint advisory published by CISA and the FBI, the attack took place in February 2022 but a full incident response engagement wasn’t carried out until June.

The resulting investigation revealed the threat actor had gained initial access to the federal agency’s VMware Horizon server by exploiting the Log4Shell vulnerability, which was discovered in late 2021.

After gaining initial access, the Iran-backed hackers ran commands to disable Windows Defender from running virus scans on downloaded tools before deploying the XMRig cryptocurrency mining tool on the VMware Horizon server.

The attackers then moved laterally across the network and used Mimikatz to harvest credentials and create a domain administrator account.

This was then used to implant the Ngrok reverse proxy tool - often associated with malicious activity - on multiple hosts to establish persistence and proxy the attackers remote desktop protocol (RDP) connections.

“From mid-June through mid-July 2022, CISA conducted an on-site incident response engagement and determined that the organisation was compromised as early as February 2022, by likely Iranian government-sponsored APT actors who installed XMRig crypto mining software,” the advisory read.

“The threat actors also moved laterally to the domain controller, compromised credentials, and implanted Ngrok reverse proxies.”

Failure to patch?

The discovery of the Log4Shell vulnerability in December 2021 caused major unrest in the cyber security community.

The degree to which enterprise software was vulnerable to the security flaw - the highest estimates were in the region of 90% of all applications - was a particular concern.

Log4Shell’s discovery came just weeks after CISA introduced its ‘madatory patch programme’ - a list of the most commonly exploited vulnerabilities that all federal agencies had to patch by a specific deadline.

CISA issued an emergency directive adding Log4Shell to the list of vulnerabilities that had to patched across all federal agencies on 10 December, and set a deadline for patching the flaw by 24 December.

IT Pro asked CISA in November 2021, after the first deadline to patch the initial list of known vulnerabilities had passed, whether all federal agencies had successfully patched all flaws by the set deadline. The US’ cyber security agency declined to confirm that all agencies had met that deadline.

"The breach of a US government agency is realistically one of the many breaches that will come to light where threat actors successfully exploit Log4Shell,” said Bob Huber, CSO at Tenable.

“In the coming days, Tenable will release an alert examining the impact of Log4Shell, in which we found that nearly three out of four organisations are still vulnerable to the flaw.

"The reality is that full remediation of Log4Shell is difficult to achieve given its prevalence and the fact that whenever an organisation adds new assets, it could be reintroducing the vulnerability. The best way to thwart attackers is to remain diligent and consistent in remediation efforts."

One of the initial concerns with Log4Shell was organisaitons’ ability to detect whether the vulnerable log4j component was present in any of their software products.

Paul Baird, UK chief technical security officer at Qualys, told IT Pro that detection was a challenge for all organisations and that others may not be able to change the version of the log4j component as it may break their application.

“Patching issues like log4j is necessary – all the security experts in the world will tell you to patch immediately or as soon as you can,” said Baird.

“But you can only patch what you know about, and it is not as easy as just apply a patch - you have to know your infrastructure and have good rollback plans in the event that something goes wrong. A lot of organisations don't have good business continuity plans including backups, so they tend to just add the system to a risk register and accept the risk.

“This is a problem for security teams in the public sector because they are very stretched and there are so many priorities fighting for their attention. However, fixing known problems is the best defence.”

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.