The Cybersecurity and Infrastructure Security Agency (CISA) said Iranian hackers breached a federal agency that failed to patch the Log4Shell vulnerability and deployed a crypto miner. The Log4Shell vulnerability (CVE-2021-44228) is a critical remote code execution flaw on Apache’s Log4j logging library popular with Java developers.
The breach that occurred as early as February 2022 impacted an unnamed federal civilian executive branch organization (FCEB). However, the Washington Post identified the breached federal agency as the U.S. Merit Systems Protection Board, according to people familiar with the incident.
Iranian hackers installed XMRig crypto miner on federal systems
CISA discovered the intrusion in April while conducting a network-wide analysis using the intrusion detection system Einstein. The security agency discovered “bi-directional traffic between the network and a known malicious IP address associated with exploitation of the Log4Shell vulnerability.”
Subsequently, CISA conducted “an incident response engagement” from mid-June through mid-July 2022, and discovered “suspected advanced persistent threat activity.”
Once inside, Iranian hackers deployed the XMRig open-source XMRig crypto miner which is popular with hackers for earning virtual currency using the victim’s computing resources. CISA’s analysis identified several files associated with the XMRig crypto miner such as WinRing0x64.sys, the XMRig Miner driver, and wuacltservice.exe which is the crypto miner service.
The response team also identified another file RuntimeBroker.exe associated with the crypto miner that could create a local user account and check for internet connectivity.
“Cyber threat actors exploited the log4shell vulnerability in an unpatched VMware Horizon Server installed XMRig crypto mining software moved laterally to the domain controller (DC), compromised credentials and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” the report noted.
The Iranian hackers also changed the password for local administrator accounts on several hosts as a backup access method should their access to the compromised systems get terminated. Further, they attempted to dump the Local Security Authority Subsystem Service (LSASS) process using the Windows task manager but were blocked by antivirus software. According to Microsoft, threat actors targeted LSASS because it stores both local and domain administrators’ passwords. Thus, they could dump the credentials using legitimate tools such as PsExec or Windows Management Instrumentation (WMI) without triggering suspicion.
Although Iranian hackers installed a crypto miner, earning virtual currency was likely a secondary motive after cyber espionage. Christopher Hallenbeck, Chief Information Security Officer, Americas at Tanium believes that the crypto miner was no surprise, “A nation-state attacker might engage in financially motivated hacking as a way to augment their operations and maintain funding, especially when faced with economic uncertainty and other financial sanctions.”
“North Korean hackers have previously been reported as having been involved in large-scale funds transfer thefts, so reporting of Iranian state-backed hackers doing similar is unsurprising,” noted Hallenbeck.
Mike Parkin, Senior Technical Engineer at Vulcan Cyber thinks that deploying the crypto miner was an added bonus and a disguise for criminal activity.
“The real question here, with deploying crypto mining malware on their targets, is why wouldn’t they? State and State Sponsored threat actors acting like common cybercriminal groups isn’t uncommon. It helps obfuscate the source of the threat, and, simultaneously, can make them some extra cash from the criminal activity.”
Similarly, Karl Steinkamp, Director of Delivery Transformation and Automation at Coalfire believes installing the crypto miner was not unusual for nation-state actors.
“It would not be atypical for malicious individuals/groups to have bundled the XMRig, a flexible and lightweight crypto miner, with other exploits and persistent threat mechanisms.”
Iranian hackers exploited unpatched Log4Shell vulnerability on the VMware Horizon server
According to the joint advisory by CISA and the FBI, the suspected Iranian government-sponsored hackers exploited an unpatched Log4Shell vulnerability in the logging library that affected VMware’s Horizon server.
VMware released patches for the Log4Shell vulnerability in December 2021 while Log4j maintainers also patched the system in the same month. Additionally, CISA had directed all federal civilian agencies to patch their systems by December 23 and published a tool to assist organizations to detect Log4Shell vulnerability in their systems.
Security experts had warned that Log4Shell vulnerability would be exploited for years to come. According to CISA, organizations that have not patched for the vulnerability should consider themselves breached.
“When Log4Shell initially was announced, most security practitioners knew this would be a long-lived issue given how many places the vulnerable software was embedded, along with the difficulty in identifying its presence,” Hallenbeck said. “Looking ahead, we can expect to continue to see reports like this exploiting not just Log4Shell but other as yet unknown vulnerabilities hidden within a Software Bill Of Materials (SBOM). The challenge has been so great that the government is moving forward with a plan to require an SBOM be created for all software deployed on federal systems.”