Recently, the FBI and CISA published a joint advisory in which they disclosed an Iranian APT group compromised the Federal Civilian Executive Branch (FCEB) organization network Domain controller by exploiting the Log4Shell RCE flaw (CVE-2021-44228) to deploy XMRig crypto-mining malware and credential Harvester.
An Iranian APT Hacker group bypassed an unpatched VMware Horizon server which allowed them to compromise the federal network and maintained persistence within the network of the FCEB network with the help of reverse proxies.
CVE-2021-44228 (log4Shell) was a zero-day vulnerability in Log4j, a popular Java logging framework involving arbitrary code execution, and affects a wide range of products, including the VMware Horizon.
CISA observed the attackers attempting to dump the Local Security Authority Subsystem Service (LSASS) process with the task manager but this was stopped by additional anti-virus the FCEB organization had installed.
CISA discovered that bidirectional traffic was flowing between the network and an IP address that was known to be malicious. VMware Horizon servers are found to be vulnerable to the Log4Shell vulnerability which is associated with this known malicious IP address.
By exploiting the Log4Shell flaw threat actors installed XMRig crypto miner and then performed the following things:-
There are multiple threat actors, including state-sponsored hacking groups, who are still preying upon VMware Horizon and Unified Access Gateway (UAG) servers by exploiting the Log4Shell vulnerability.
The organization’s VMware server was being accessed via HTTPS from the following IP address:-
However, later it was discovered that the LDAP server IP address had been used by the threat actors to deploy the Log4Shell vulnerability.
“Following HTTPS activity, CISA observed a suspected LDAP callback on port 443 to this IP address. CISA also observed a DNS query for us‐nation‐ny[.]cf that resolved back to 51.89.181[.]64 when the victim server was returning this Log4Shell LDAP callback to the actors’ server.” said in the CISA report.
A remote exploit of Log4Shell can allow attackers to access sensitive information by moving laterally across breached networks that expose vulnerable servers.
There were originally unpatched VMware Horizon servers deployed by the organization that was detected by Iranian APT threat actors as part of an APT attack.
Afterward, the following malicious IP address was used by the threat actors to establish a connection, and this connection lasted for 17.6 seconds:-
In the exploit payloads, the actors added an exclusion rule to Windows Defender, which was run by the following PowerShell command:-
powershell try{Add-MpPreference -ExclusionPath ‘C:\’; Write-Host ‘added-exclusion’} catch {Write-Host ‘adding-exclusion-failed’ }; powershell -enc “$BASE64 encoded payload to download next stage and execute it”
This exclusion rule allowed the listing of the entire drive c:/ on the exclusion list. By using this method, threat actors can download tools without being detected by virus scans to the c:/drive.
Following the download, a file.zip is extracted from 182.54.217[.]2, and once done with that, then from the disk, the mde.ps1 is removed.
Here below we have mentioned the file.zip contents:-
Researchers uncovered that file.zip contained crypto-mining software once the researchers dug deep into the file. The following tools have also been downloaded from a server named transfer[.]sh in a volume of around 30 megabytes.
Here below we have mentioned the tools that are downloaded by the threat actors:-
After Mimikatz was executed on VDI-KMS, a rogue domain administrator account was created based on the credentials that were harvested. In order to propagate the newly created account to a variety of hosts within the network, the actors used RDP.
Here below we have mentioned the domains used by the threat actors:-
In order to gain a foothold in the network, threat actors had to perform the following PowerShell command on Active Directory:-
While the primary purpose of this is to move laterally into the domain controller finally, threat actors have changed the local administrator password as a backup if the rogue domain admin access is detected and terminated.
Here is the complete attack TTPs used by APT hackers in the massive cyber attack.
In order to mitigate the problem, CISA and FBI recommended the following measures:-
Penetration Testing As a Service – Download Red Team & Blue Team Workspace
The Evasive Panda group deployed a new C# framework named CloudScout to target a Taiwanese…
Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals in…
The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215 against…
Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors to…
A security researcher discovered a vulnerability in Windows theme files in the previous year, which…
The ongoing Meta malvertising campaign, active for over a month, employs an evolving strategy to…