Iranian government-sponsored menace actors have been blamed for compromising a U.S. federal company by benefiting from the Log4Shell vulnerability in an unpatched VMware Horizon server.
The particulars, which had been shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), are available in response to incident response efforts undertaken by the authority from mid-June via mid-July 2022.
“Cyber menace actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, put in XMRig crypto mining software program, moved laterally to the area controller (DC), compromised credentials, after which implanted Ngrok reverse proxies on a number of hosts to keep up persistence,” CISA famous.
LogShell, aka CVE-2021-44228, is a crucial distant code execution flaw within the widely-used Apache Log4j Java-based logging library. It was addressed by the open supply venture maintainers in December 2021.
The newest improvement marks the continued abuse of the Log4j vulnerabilities in VMware Horizon servers by Iranian state-sponsored teams because the begin of the yr. CISA didn’t attribute the occasion to a specific hacking group.
However, a joint advisory launched by Australia, Canada, the U.Ok., and the U.S. in September 2022 pointed fingers at Iran’s Islamic Revolutionary Guard Corps (IRGC) for leveraging the shortcoming to hold out post-exploitation actions.
The affected group, per CISA, is believed to have been breached as early as February 2022 by weaponizing the vulnerability so as to add a brand new exclusion rule to Windows Defender that allowlisted all the C: drive.
Doing so made it attainable for the adversary to obtain a PowerShell script with out triggering any antivirus scans, which, in flip, retrieved the XMRig cryptocurrency mining software program hosted on a distant server within the type of a ZIP archive file.
The preliminary entry additional afforded the actors to fetch extra payloads reminiscent of PsExec, Mimikatz, and Ngrok, along with utilizing RDP for lateral motion and disabling Windows Defender on the endpoints.
“The menace actors additionally modified the password for the native administrator account on a number of hosts as a backup ought to the rogue area administrator account get detected and terminated,” CISA famous.
Also detected was an unsuccessful try at dumping the Local Security Authority Subsystem Service (LSASS) course of utilizing the Windows Task Manager, which was blocked by the antivirus resolution deployed within the IT atmosphere.
Microsoft, in a report final month, revealed that cybercriminals are concentrating on credentials within the LSASS course of owing to the truth that it “can retailer not solely a present consumer’s OS credentials but in addition a site admin’s.”
“Dumping LSASS credentials is vital for attackers as a result of in the event that they efficiently dump area passwords, they’ll, for instance, then use reputable instruments reminiscent of PsExec or Windows Management Instrumentation (WMI) to maneuver laterally throughout the community,” the tech large stated.