The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory detailing how state-sponsored Iranian threat actors compromised a federal agency's network by exploiting the infamous Log4Shell vulnerability.
The advisory states that from mid-June through mid-July of this year, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where it observed suspected advanced persistent threat (APT) actor activity.
CISA discovered that threat actors had "exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence."
Log4Shell, tracked as CVE-2021-44228, is a remote code execution vulnerability affecting the Apache Log4j library that was discovered in December 2021. The exploit allows threat actors to submit a request to a vulnerable system and execute arbitrary code; this request allows the threat actor to take control of the affected system.
In June, CISA released an advisory detailing how malicious cyber actors were continuing to exploit Log4Shell in VMware Horizon Systems, coincidentally the same time CISA was investigating the suspected Iranian APT's activity.
What some might find interesting in this incident is the decision to install cryptomining software. Mike Parkin, a senior technical engineer at Vulcan Cyber, discusses this decision and the Log4Shell exploit:
"The real question here, with deploying crypto mining malware on their targets, is why wouldn't they? State and State Sponsored threat actors acting like common cybercriminal groups isn't uncommon. It helps obfuscate the source of the threat, and, simultaneously, can make them some extra cash from the criminal activity.
One of the expected challenges with Log4Shell was the 'long tail' effect. While most vulnerable systems were patched quickly, there is always a 'long tail' of stragglers that don't get remediated in a timely manner. That means we're likely to see these things for a lot longer than we'd like as people get around to remediating the ones they missed. Unfortunately, that can take months, or even years."
This recent advisory aims to provide organizations and end-users with knowledge of the APT's tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IOCs) to help defend against related compromises.
CISA and the FBI encourage all organizations with affected VMware systems that did not immediately apply patches to assume they have already been compromised and initiate threat hunting activities. The agencies also urge organizations to apply the recommended mitigations.
Incident response and mitigations for Log4Shell
CISA provides an abundance of information in its advisory, including incident response steps, mitigations, and steps to validate security controls.
For incident response, it says if your organization suspects initial access or compromise is detected, you should assume lateral movement by threat actors and investigate connected systems. It recommends applying four steps before applying any mitigations:
- "Immediately isolate affected systems."
- "Collect and review relevant logs, data, and artifacts. Take a memory capture of the device(s) and a forensic image capture for detailed analysis."
- "Consider soliciting support from a third-party incident response organization that can provide subject matter expertise to ensure the actor is eradicated from the network and to avoid residual issues that could enable follow-on exploitation."
- "Report incidents to CISA via CISA's 24/7 Operations Center (firstname.lastname@example.org or 888-282-0870) or your local FBI field office, or FBI's 24/7 Cyber Watch (CyWatch) at 855-292-3937 or by email at CyWatch@fbi.gov."
CISA also provides seven mitigations that will "improve your organization's cybersecurity posture on the basis of threat actor behaviors." The mitigations are:
- "Install updated builds to ensure affected VMware Horizon and UAG systems are updated to the latest version."
- "Keep all software up to date and prioritize patching known exploited vulnerabilities (KEVs)."
"Minimize the internet-facing attack surface."
"Use best practices for identity and access management (IAM)."
"Audit domain controllers to log successful Kerberos Ticket Granting Service (TGS) requests and ensure the events are monitored for anomalous activity."
"Create a deny list of known compromised credentials and prevent users from using known-compromised passwords."
"Secure credentials by restricting where accounts and credentials can be used and by using local device credential protection features."