IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

US federal agency breached by Iranian state-backed hackers via Log4Shell exploit

The initial intrusion was discovered in February but a full incident response wasn't launched until June

The US government has revealed Iranian state-sponsored cyber attackers successfully breached a federal agency by exploiting Log4Shell.

The Iranian-backed hackers have not been attributed to any known threat actor at this time, but the hackers used their access to deploy the XMRig crypto miner and the Mimikatz credential harvester.

According to a joint advisory published by CISA and the FBI, the attack took place in February 2022 but a full incident response engagement wasn’t carried out until June.

The resulting investigation revealed the threat actor had gained initial access to the federal agency’s VMware Horizon server by exploiting the Log4Shell vulnerability, which was discovered in late 2021.

After gaining initial access, the Iran-backed hackers ran commands to disable Windows Defender from running virus scans on downloaded tools before deploying the XMRig cryptocurrency mining tool on the VMware Horizon server.

The attackers then moved laterally across the network and used Mimikatz to harvest credentials and create a domain administrator account.

This was then used to implant the Ngrok reverse proxy tool - often associated with malicious activity - on multiple hosts to establish persistence and proxy the attackers remote desktop protocol (RDP) connections.

“From mid-June through mid-July 2022, CISA conducted an on-site incident response engagement and determined that the organisation was compromised as early as February 2022, by likely Iranian government-sponsored APT actors who installed XMRig crypto mining software,” the advisory read. 

“The threat actors also moved laterally to the domain controller, compromised credentials, and implanted Ngrok reverse proxies.”

Failure to patch?

The discovery of the Log4Shell vulnerability in December 2021 caused major unrest in the cyber security community.

The degree to which enterprise software was vulnerable to the security flaw - the highest estimates were in the region of 90% of all applications - was a particular concern. 

Log4Shell’s discovery came just weeks after CISA introduced its ‘madatory patch programme’ - a list of the most commonly exploited vulnerabilities that all federal agencies had to patch by a specific deadline. 

CISA issued an emergency directive adding Log4Shell to the list of vulnerabilities that had to patched across all federal agencies on 10 December, and set a deadline for patching the flaw by 24 December.

IT Pro asked CISA in November 2021, after the first deadline to patch the initial list of known vulnerabilities had passed, whether all federal agencies had successfully patched all flaws by the set deadline. The US’ cyber security agency declined to confirm that all agencies had met that deadline.

"The breach of a US government agency is realistically one of the many breaches that will come to light where threat actors successfully exploit Log4Shell,” said Bob Huber, CSO at Tenable. 

“In the coming days, Tenable will release an alert examining the impact of Log4Shell, in which we found that nearly three out of four organisations are still vulnerable to the flaw.

"The reality is that full remediation of Log4Shell is difficult to achieve given its prevalence and the fact that whenever an organisation adds new assets, it could be reintroducing the vulnerability. The best way to thwart attackers is to remain diligent and consistent in remediation efforts."

One of the initial concerns with Log4Shell was organisaitons’ ability to detect whether the vulnerable log4j component was present in any of their software products. 

Paul Baird, UK chief technical security officer at Qualys, told IT Pro that detection was a challenge for all organisations and that others may not be able to change the version of the log4j component as it may break their application.

“Patching issues like log4j is necessary – all the security experts in the world will tell you to patch immediately or as soon as you can,” said Baird. 

“But you can only patch what you know about, and it is not as easy as just apply a patch - you have to know your infrastructure and have good rollback plans in the event that something goes wrong. A lot of organisations don't have good business continuity plans including backups, so they tend to just add the system to a risk register and accept the risk.

“This is a problem for security teams in the public sector because they are very stretched and there are so many priorities fighting for their attention. However, fixing known problems is the best defence.”

Featured Resources

2022 State of the multi-cloud report

What are the biggest multi-cloud motivations for decision-makers, and what are the leading challenges

Free Download

The Total Economic Impact™ of IBM robotic process automation

Cost savings and business benefits enabled by robotic process automation

Free Download

Multi-cloud data integration for data leaders

A holistic data-fabric approach to multi-cloud integration

Free Download

MLOps and trustworthy AI for data leaders

A data fabric approach to MLOps and trustworthy AI

Free Download

Recommended

TSMC set to invest further $12 billion into Arizona fab
components

TSMC set to invest further $12 billion into Arizona fab

10 Nov 2022
Papa John's faces class-action lawsuit for alleged misuse of session tracking scripts
privacy

Papa John's faces class-action lawsuit for alleged misuse of session tracking scripts

7 Oct 2022
CISA issues fresh orders to polish security vulnerability detection in federal agencies
Security

CISA issues fresh orders to polish security vulnerability detection in federal agencies

6 Oct 2022
Micron to invest historic $100 billion in NY semiconductor site
components

Micron to invest historic $100 billion in NY semiconductor site

5 Oct 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022