CISA: Iranian APT actors compromised federal network

CISA said Iranian nation-state actors exploited Log4Shell flaws on an unpatched VMware Horizon server before deploying a cryptominer and attempting to gain persistent access.

Iranian nation-state threat actors breached a federal agency's network before deploying malware, including a credential harvester and a cryptocurrency miner, according to a joint advisory released Wednesday by the FBI and the Cybersecurity and Infrastructure Security Agency.

CISA said threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server belonging to an unnamed "Federal Civilian Executive Branch" agency. Log4Shell is a name given to CVE-2021-44228, a critical flaw discovered in Java logging framework Log4j 2 late last year that quickly became one of the worst vulnerabilities in recent memory.

After the threat actors gained access, they installed the XMRig cryptomining software before compromising credentials and taking actions to move laterally and maintain persistence in the network. Among these actions were utilizing remote desktop protocol and a built-in default Windows user account to move across the agency's network, as well as using a command in PowerShell that allowed threat actors to download software without activating the virus scanner.

According to the advisory, threat actors compromised the network "as early as February 2022," and incident response was conducted after Einstein, a federal civilian agency-wide intrusion detection system operated by CISA, discovered signs of the advanced persistent threat (APT) activity in April. Incident response investigations were conducted from mid-June to mid-July; ultimately, CISA and the FBI assessed that the compromise likely originated from Iranian APT actors.

TechTarget Security asked CISA for additional comment about the attack, but the agency declined to answer. Instead, it provided an emailed statement from CISA Executive Assistant Director for Cybersecurity Eric Goldstein.

"Today's advisory highlights the importance of continued focus on mitigating known exploited vulnerabilities such as Log4Shell and the need for all organizations to implement effective detections to proactively identify malicious activity before damaging impacts occur," Goldstein said. "While organizations across government and the private sector acted with urgency to mitigate assets running vulnerable versions of Log4j, we know that malicious cyber actors moved quickly to exploit vulnerable assets and continue to do so."

He continued, "The incident described in today's advisory reflects ongoing collaborative efforts between CISA, FBI and federal agencies to both reduce the prevalence of exploitable conditions and to quickly detect and remediate intrusions. All organizations are strongly encouraged to apply recommended mitigations and actions, such as the known exploited vulnerabilities catalog, phishing resistant MFA, and deploying rigorous controls consistent with a zero-trust strategy."

The joint advisory did not say how authorities came to attribute the intrusion to Iranian nation-state hackers. It's also unclear why the threat actors would deploy cryptomining software in a network they were attempting to establish persistent access in, as miners are considered to be easily detectable.

Cryptomining attacks had been increasing this year, as the value of many digital currencies continued to rise. In a report last month, cloud security vendor Sysdig revealed a massive cryptomining operation, dubbed "Purpleurchin," that was abusing free trial accounts on GitHub. Sysdig researchers told TechTarget Security that threat groups, including Vietnamese nation-state group APT32, have used cryptominers as a decoy to distract from other malicious activity.

Asked about the use of a cryptominer, Sophos senior threat researcher Sean Gallagher told TechTarget Security that some APTs utilize financial cybercrime as part of their operations, though he did not speculate about this specific case.

"We frequently see miners co-existing with other malicious activity because the miner has exploited the same vulnerability," he said in an email. "State-motivated actors (including North Korea) have been observed carrying out financially oriented cybercrime as a way to fund other activities. This does not mean that this is the case in this instance."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threat detection and response