Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Government United States

Iranian Hackers Breached Federal Agency Using Log4Shell Exploit (bleepingcomputer.com) 27

An anonymous reader quotes a report from BleepingComputer: The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware. The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell (CVE-2021-44228) remote code execution vulnerability. After deploying the cryptocurrency miner, the Iranian threat actors also set up reverse proxies on compromised servers to maintain persistence within the FCEB agency's network.

"In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," the joint advisory reads. The two U.S. federal agencies added that all organizations who haven't yet patched their VMware systems against Log4Shell should assume that they've already been breached and advise them to start hunting for malicious activity within their networks.

CISA warned in June that VMware Horizon and Unified Access Gateway (UAG) servers are still being preyed upon by multiple threat actors, including state-sponsored hacking groups, using Log4Shell exploits. Log4Shell can be exploited remotely to target vulnerable servers exposed to local or Internet access to move laterally across breached networks to access internal systems that store sensitive data.

This discussion has been archived. No new comments can be posted.

Iranian Hackers Breached Federal Agency Using Log4Shell Exploit

Comments Filter:
  • Because the first thing I do when penetrating an adversaries intelligence/law enforcement system is to run something that increases the processing load for no good reason and gets them to take a look at it.

  • by anegg ( 1390659 ) on Wednesday November 16, 2022 @07:17PM (#63056924)

    The article doesn't reveal the identify of the executive branch federal agency, but holy cow, they should be ashamed of themselves!

    An exposed VMware server, not properly segmented from the Internet via a firewall, from which a lateral attack could be mounted on an Active Directory domain server? How, in this day and age, did a configuration like that pass muster? What system owner signed off on it? **What government manager is to blame?**

    • You would be surprised how few people even turn on VCSA backups and expect restores of the appliance to work 100% of the time. Slapping VMWare and vSphere on a chunk of notes attached to a NAS is one thing. Properly administrating it with multiple LUNs/shares with DRS is another. Add onto that doing backups "right" so they can be pulled out and tested.

    • Horizon View is their VDI solution. It’s commonly kept open to the internet because it’s a remote access product.

      We’re not talking about vcenter or ESXi.

  • by Joe_Dragon ( 2206452 ) on Wednesday November 16, 2022 @07:39PM (#63056970)

    vmware licensing changes and droping drives for an lot of hardware.
    Really stopped an lot of upgrades.

    • I don't understand why people use VMWare at all, when there are free alternatives available that work fine.

      • Please list these free alternatives for ESXi Server.
          • Please list these free alternatives for ESXi Server.

            https://www.microsoft.com/en-u... [microsoft.com]

            The free version of Hyper-V server is still at 2019 because MS isn't releasing any more free hypervisor versions of Windows. It's not exactly a winning move to use a product whose end-of-line is already announced. Tangentially, Hyper-V requires a Windows computer to manage unless you're cool doing everything in Powershell; there's no WebUI for it.

            I've played around with some of the other alternatives, and I haven't been able to find a viable alternative, either. Oracle makes me scratch my head as they have

  • by RitchCraft ( 6454710 ) on Wednesday November 16, 2022 @07:54PM (#63057000)
    Is it time to bring back those Mickey Mouse drawings from the late 70's proclaiming "Hey Iran!"?
  • Do they seriously expect us to believe this “unnamed Iranian-backed threat group” wouldn't know how to disguise its location.
  • says it all!
  • Most agency CIOs are Senior Executive Service positions (versus regular Civil Service or Political Appointees.) So the agency that manages Govt CIO workforce/positions got hacked? I don't know whether to laugh or cry over that.

He has not acquired a fortune; the fortune has acquired him. -- Bion

Working...