Iranian government-sponsored hackers infiltrated an unnamed U.S. government agency’s network earlier this year, taking advantage of the Log4Shell vulnerability to deploy crypto miners and compromise credentials, US cybersecurity officials said Wednesday.
The details, which were shared in Wednesday’s joint advisory by the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), and the FBI, reveal that the hackers broke into an unpatched VMware Horizon server in February, with US security officials responding to the attack in June to clean up the network.
“Cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” the advisory noted.
The advisory also warned that organizations without patching vulnerable versions of Log4j should assume they have been compromised.
Log4j vulnerability remains a threat to organizations
The attack underscores the enduring presence of the Log4j vulnerability, which made global headlines a year ago and remains an active threat for many organizations, with CISA warning late last year that the flaw could still affect hundreds of millions of devices.
“Log4j is particularly difficult to identify and patch as it may be bundled as a deep dependency in software bought and operated by companies without the resources to find and patch such a vulnerability,” Jamie Boote, software security consultant at Synopsys Software Integrity Group, told SC Media.
But federal agencies were supposed to enumerate all of their software assets against a CISA-managed GitHub repository of software known to be affected by the bug and prioritize patching last year as part of an emergency Binding Operational Directive issued by CISA to civilian federal agencies last year. It was later incorporated into the agency's Known Exploited Vulnerabilities database, a rolling list of vulnerabilities that civilian federal agencies must identify and patch within two weeks.
SC Media has reached out to CISA with questions about why the vulnerable software was not identified and remediated by the agency as part of that order. CISA did not directly answer the question.
"While organizations across government and the private sector acted with urgency to mitigate assets running vulnerable versions of Log4j, we know that malicious cyber actors moved quickly to exploit vulnerable assets and continue to do so. The incident described in the advisory reflects ongoing collaborative efforts between CISA, FBI, and federal agencies to both reduce the prevalence of exploitable conditions and to quickly detect and remediate intrusions," Eric Goldstein, executive assistant director for cybersecurity at CISA, told SC Media in an email.
A day after the hack was revealed by CISA, Sen. Rob Portman, R-Ohio, outgoing ranking Republican on the Senate Homeland Security and Governmental Affairs Committee, questioned DHS Secretary Alejandro Mayorkas in a hearing about the identity of the compromised federal agency and sought assurances that the threat actors had been removed from the network. In both instances, Mayorkas declined to provide an answer, saying he would need to consult with other DHS officials to ensure he would not be compromising any security interests by disclosing that information.
Congress is working to pass an updated version of the Federal Information Security Modernization Act that would require agencies to report major cyber incidents to Congress. When asked if the intrusion disclosed Wednesday would be considered a major incident under the new language, Mayorkas responded "I believe so."
The hack revealed Wednesday shows that organizations, including federal agencies, fail to maintain robust vulnerability management processes, said Nic Finn, threat intelligence consultant at GuidePoint Security.
“There are over 13,000 U.S.-based servers hosting VMWare Horizon, according to Shodan data. It is a trivial process for an actor with Nemesis Kitten’s resources to attempt to exploit this vulnerability against those servers. Even a 1% vulnerability rate still indicates 130 vulnerable servers,” Finn told SC media.
'Icing on the cake'
According to CISA, there is evidence both that threat actors sought to harvest credentials and deployed XMRig, a popular piece of cryptocurrency mining malware.
An APT using access to a federal agency’s network to deploy crypto-mining software is odd, but hackers may use it to obfuscate other criminal activities, such as data harvesting and espionage, said Bryan Ware, CEO at LookingGlass and former assistant director for cybersecurity at CISA.
“Mining crypto on the way out could serve as icing on the cake – a secondary objective after the real damage is done. It is also possible the crypto miner was already present and was not associated with this event at all,” Ware told SC Media in an email.
However, Chris Gray, AVP of security strategy at Deepwatch, told SC Media that it is not surprising for hackers to deploy a miner in this case, due to the low cost and high returns of cryptojacking.
“Why not make some cash at someone else’s cost when it only costs a few moments of effort?” Gray said.
According to recent research by Kaspersky, there is an increase in the share of hidden mining software distributed through well-known vulnerabilities this year, with nearly 1 in 7 attacks exploiting such vulnerabilities being accompanied by miner infections. And in Q3, miners became even more widespread than backdoors.
It is possible that the deployment of XMRig was carried out by a separate actor. Security researchers sometimes point out that the presence of a cryptominer on victim networks can often function as a canary in a coal mine, indicating that a vulnerability may have been broadly known and exploited by multiple threat actors and for multiple purposes.
John Hultquist, head of intelligence analysis at Google-owned threat intelligence firm Mandiant, said in a statement sent to SC Media that Iran, like many states, has a history of tapping financially-motivated hacking groups as contractors for state-based operations, and that the threat actor in this case may have been moonlighting on behalf on the Iranian government. In follow up comments to the Washington Post, Hultquist also expressed hesitance to validate that Nemesis Kitten was behind the use of the cryptominer.
Nemesis Kitten, tracked as DEV-0270, conducts malicious attacks, including widespread vulnerability scanning, on behalf of the Iranian government, according to the Microsoft security team. Microsoft noted that the group might also carry out ransomware attacks for financial gains.
“Nemesis Kitten is a subgroup of the Phosphorus Iranian malware group. It appears that their common approach is to utilize well-known and often highly exploitable vulnerabilities, [such as] Log4j, [along with] with Windows Exchange servers and Fortinet systems to facilitate ransomware attacks against their victims,” Karl Steinkamp, director of delivery transformation and automation at Coalfire, said.
Steinkamp told SC Media that he is “hesitant to assign attribution” for the attack to Nemesis Kitten at this time.