Iran-backed attackers broke into a civilian US federal agency and installed cryptominers thanks to an unpatched VMware Horizon server still vulnerable to Log4Shell, according to a CISA advisory.
“In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” said the CISA and FBI alert.
The Log4Shell crypto infiltration occurred in mid-June 2022, and persisted until mid-July, according to the agencies.
The claim for the group being Iran-backed was unsupported in the alert, and some commentators questioned that state actors would rush to mine cryptocurrency as their first action after gaining access. According to the alert’s very detailed account, the mining software was installed from the first package downloaded, before Ngrok or Mimikatz.
Google-owned Mandiant suggested the link between the Log4Shell crypto attackers and Iran may be more tenuous than a directly state-controlled group, in a statement attributed to the firm’s VP of threat intelligence, John Hultquist.
"Iran & peers depend on contractors to carry out cyber espionage & attacks. It can be hard to distinguish this activity from the work done at the behest of the state. In some cases the state may ignore the crime to tap capabilities outside the public sector,” tweeted Mandiant, quoting Hultquist.
See also: Log4j DIDN’t result in mass abuse – but VMware Horizon attacks continue
Exploiting vulnerable Log4j instances may not qualify as a particularly advanced skillset, however. Given the vulnerability’s severity, and the US government’s insistence in December 2021 that all government organisations patch it, having an exploitable system six months later seems asking for trouble.
The anonymous agency fallen victim to the Log4Shell crypto breach is far from alone, though – according to Sonatype, between 38-40% of Log4j downloads still contain the Log4Shell vulnerability, with the firm’s CTO Brian Fox suggesting it was “not surprising” to see APT groups making use of it.
“The Advisory should serve as a warning to everyone in the industry, especially those in the federal space, to not lose sight of continuing to find straggling systems with potentially vulnerable versions. That’s why SBOMs and quality software composition analysis solutions are so important–developers and organizations need transparency into every element of their software supply chains for efficient fixes and to stay secure,” Fox told The Stack in a prepared statement.
In a report released last month, Sonatype noted open-source software exploits were on the rise, as use of OSS continues to climb.
