Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
State-supported Iranian cybercriminals are suspected in an incident that led to a breach in a U.S. federal agency’s network. The hackers utilized the Log4Shell vulnerability in an unpatched VMware Horizon server.
The authorities conducted incident response efforts from mid-June through mid-July 2022, but the attack was not still attributed to a certain hacking group.
Since the beginning of the year, Iranian state-sponsored groups have been exploiting for several times Log4j vulnerabilities in VMware Horizon servers.
Details about the Attack
“LogShell, aka CVE-2021-44228, is a critical remote code execution flaw in the widely-used Apache Log4j Java-based logging library. It was addressed by the open-source project maintainers in December 2021”, according to BleepingComputer.
A U.S. Cybersecurity and Infrastructure Security Agency (CISA) report shows that the initial access to the affected organization has been made in February 2022 using the vulnerability to insert a new Windows Defender exclusion rule so that the entire C:\ drive will be allowlisted.
Cyber threat actors (…) installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.
The cybercriminals could bypass the antivirus to deploy a PowerShell script. The script recovered a ZIP file containing XMRig cryptocurrency mining software located on a remote server. Files like PsExec, Mimikatz, and Ngrok were also used, as well as RDP for lateral movement and disabling Windows Defender on all devices.
The infiltration gave hackers the chance to change the password of the admin account on several hosts. While they also unsuccessfully tried to dump the Local Security Authority Subsystem Service (LSASS) process using the Windows Task Manager.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics.
