U.S. Federal Network Hacked – Iranian APT Hackers Compromised Domain Controller

Recently, the FBI and CISA published a joint advisory in which they disclosed an Iranian APT group compromised the Federal Civilian Executive Branch (FCEB) organization network Domain controller by exploiting the Log4Shell RCE flaw (CVE-2021-44228) to deploy XMRig crypto-mining malware and credential Harvester.

An Iranian APT Hacker group bypassed an unpatched VMware Horizon server which allowed them to compromise the federal network and maintained persistence within the network of the FCEB network with the help of reverse proxies.

CVE-2021-44228 (log4Shell) was a zero-day vulnerability in Log4j, a popular Java logging framework involving arbitrary code execution, and affects a wide range of products, including the VMware Horizon.

CISA observed the attackers attempting to dump the Local Security Authority Subsystem Service (LSASS) process with the task manager but this was stopped by additional anti-virus the FCEB organization had installed.

Exploiting Log4Shell Flaw

CISA discovered that bidirectional traffic was flowing between the network and an IP address that was known to be malicious. VMware Horizon servers are found to be vulnerable to the Log4Shell vulnerability which is associated with this known malicious IP address.

By exploiting the Log4Shell flaw threat actors installed XMRig crypto miner and then performed the following things:-

• Laterally moved to the domain controller (DC)
• Compromised credentials
• Installed Ngrok reverse proxies

There are multiple threat actors, including state-sponsored hacking groups, who are still preying upon VMware Horizon and Unified Access Gateway (UAG) servers by exploiting the Log4Shell vulnerability.

The organization’s VMware server was being accessed via HTTPS from the following IP address:-

• 51.89.181[.]64

However, later it was discovered that the LDAP server IP address had been used by the threat actors to deploy the Log4Shell vulnerability.

“Following HTTPS activity, CISA observed a suspected LDAP callback on port 443 to this IP address. CISA also observed a DNS query for us‐nation‐ny[.]cf that resolved back to 51.89.181[.]64 when the victim server was returning this Log4Shell LDAP callback to the actors’ server.” said in the CISA report.

A remote exploit of Log4Shell can allow attackers to access sensitive information by moving laterally across breached networks that expose vulnerable servers.

Technical Analysis

There were originally unpatched VMware Horizon servers deployed by the organization that was detected by Iranian APT threat actors as part of an APT attack. 

Afterward, the following malicious IP address was used by the threat actors to establish a connection, and this connection lasted for 17.6 seconds:-

• 182.54.217[.]2

In the exploit payloads, the actors added an exclusion rule to Windows Defender, which was run by the following PowerShell command:-

powershell try{Add-MpPreference -ExclusionPath ‘C:\’; Write-Host ‘added-exclusion’} catch {Write-Host ‘adding-exclusion-failed’ }; powershell -enc “$BASE64 encoded payload to download next stage and execute it”

This exclusion rule allowed the listing of the entire drive c:/ on the exclusion list. By using this method, threat actors can download tools without being detected by virus scans to the c:/drive.

Following the download, a file.zip is extracted from 182.54.217[.]2, and once done with that, then from the disk, the mde.ps1 is removed.

Here below we have mentioned the file.zip contents:-

• WinRing0x64.sys
• wuacltservice.exe
• config.json
• RuntimeBroker.exe

Researchers uncovered that file.zip contained crypto-mining software once the researchers dug deep into the file. The following tools have also been downloaded from a server named transfer[.]sh in a volume of around 30 megabytes.

Here below we have mentioned the tools that are downloaded by the threat actors:-

• PsExec: A Microsoft signed tool for system administrators.
• Mimikatz: A credential theft tool.
• Ngrok: A reverse proxy tool for proxying an internal service out onto a Ngrok domain.

After Mimikatz was executed on VDI-KMS, a rogue domain administrator account was created based on the credentials that were harvested. In order to propagate the newly created account to a variety of hosts within the network, the actors used RDP.

Here below we have mentioned the domains used by the threat actors:-

• tunnel.us.ngrok[.]com
• korgn.su.lennut[.]com
• *.ngrok[.]com
• *.ngrok[.]io
• ngrok.*.tunnel[.]com
• korgn.*.lennut[.]com

In order to gain a foothold in the network, threat actors had to perform the following PowerShell command on Active Directory:- 

• Powershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address >

While the primary purpose of this is to move laterally into the domain controller finally, threat actors have changed the local administrator password as a backup if the rogue domain admin access is detected and terminated.

Threat Actor Tactics and Techniques

Here is the complete attack TTPs used by APT hackers in the massive cyber attack.

• Initial Access – Exploit Public – Facing Application – Actors exploited the Log4Shell bug on the VMware Horizon server
• Execution – PowerShell, a Command and Scripting Interpreter – actors executed PowerShell on the AD to obtain a list of machines on the domain.
• Persistence – Account Manipulation, Create Account: Local Account, Create Account: Domain Account, Scheduled Task/Job: Scheduled Task.
• Evasion Detection – Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion.
• Credential Access – OS Credential Dumping: LSASS Memory, Credentials from Password Stores.
• Discovery – Remote System Discovery – PowerShell command on the AD to obtain a list of all machines.
• Lateral Movement – Remote Services: Remote Desktop Protocol to gain access to multiple hosts on the network.
• Command and Control – Ngrok to proxy RDP connections and to perform command and control.
• Ingress Tool Transfer – downloaded malware and multiple tools to the network, including PsExec, Mimikatz, and Ngrok.

Mitigations

In order to mitigate the problem, CISA and FBI recommended the following measures:-

• To ensure that all affected VMware Horizon and UAG systems have been updated to the most up-to-date version, install updated builds.
• Updating all your software on a regular basis is essential.
• Make sure that there is as little attack surface as possible facing the internet.
• In order to manage identity and access effectively, it is important to follow best practices.
• Ensure that domain controllers are audited to ensure that they are logging.
• Identify all credentials that have been compromised and create a deny list for them.
• Make sure that credentials are secured by restricting the use of accounts and credentials in certain places.

Validate Security Controls:

1. Select an ATT&CK technique described in this advisory (see table 1).
2. Align your security technologies against the technique.
3. Test your technologies against the technique.
4. Analyze your detection and prevention technologies’ performance.
5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.
6. Tune your security program, including people, processes, and technologies, based on the data generated by this process.

Penetration Testing As a Service – Download Red Team & Blue Team Workspace